CVE-2026-35363
Received Received - Intake
Path Traversal Bypass in uutils coreutils rm Causes Data Loss

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: Canonical Ltd.

Description
A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35363
EUVD
EUVD-2026-25008
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the rm utility of uutils coreutils. The utility is designed to prevent deletion of the current directory by refusing to delete '.' or '..'. However, it fails to recognize equivalent paths that include trailing slashes, such as './' or './//'. As a result, executing the command 'rm -rf ./' can bypass these safeguards and cause the recursive deletion of all contents within the current directory.

Additionally, the utility reports a misleading 'Invalid input' error after this operation, which can obscure the data loss and cause users to miss the opportunity to recover their data.

Impact Analysis

This vulnerability can lead to accidental or malicious deletion of all files and subdirectories within the current directory without proper warning. Because the rm utility reports a misleading error message, users may not realize the extent of the data loss immediately, reducing the chances of timely data recovery.

The impact includes potential loss of important data, disruption of services or workflows, and increased recovery costs.

Compliance Impact

The vulnerability in the rm utility of uutils coreutils allows silent recursive deletion of the current directory contents when using paths with trailing slashes such as ./ or .///. This can lead to unintended data loss without clear indication to the user.

Such silent and potentially accidental data deletion could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require organizations to ensure data integrity, availability, and proper safeguards against data loss.

Because the vulnerability causes misleading error messages and obscures the data loss event, it may hinder timely detection and recovery, thereby increasing the risk of non-compliance with requirements for data protection, auditability, and incident response.

Detection Guidance

This vulnerability can be detected by testing the behavior of the rm utility from uutils coreutils when deleting the current directory using paths with trailing slashes.

Specifically, running the command `rm -rf ./` in a controlled environment can reveal the issue if it results in the recursive deletion of the current directory contents while outputting an 'Invalid input' error message.

This differs from the expected behavior of GNU rm, which refuses to delete the current directory and reports an error without deleting any files.

Mitigation Strategies

To mitigate this vulnerability, avoid using the rm command with paths that include trailing slashes referring to the current directory, such as rm -rf ./ or variants like rm -rf .///.

Instead, use explicit paths without trailing slashes or use alternative safe deletion methods until a patch or fix is applied.

Be cautious of misleading error messages from the rm utility that may indicate failure but actually result in data deletion.

Monitor for updates or patches from the uutils coreutils project and apply them promptly once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35363. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart