CVE-2026-35363
Path Traversal Bypass in uutils coreutils rm Causes Data Loss
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the rm utility of uutils coreutils. The utility is designed to prevent deletion of the current directory by refusing to delete '.' or '..'. However, it fails to recognize equivalent paths that include trailing slashes, such as './' or './//'. As a result, executing the command 'rm -rf ./' can bypass these safeguards and cause the recursive deletion of all contents within the current directory.
Additionally, the utility reports a misleading 'Invalid input' error after this operation, which can obscure the data loss and cause users to miss the opportunity to recover their data.
How can this vulnerability impact me? :
This vulnerability can lead to accidental or malicious deletion of all files and subdirectories within the current directory without proper warning. Because the rm utility reports a misleading error message, users may not realize the extent of the data loss immediately, reducing the chances of timely data recovery.
The impact includes potential loss of important data, disruption of services or workflows, and increased recovery costs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the rm utility of uutils coreutils allows silent recursive deletion of the current directory contents when using paths with trailing slashes such as ./ or .///. This can lead to unintended data loss without clear indication to the user.
Such silent and potentially accidental data deletion could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require organizations to ensure data integrity, availability, and proper safeguards against data loss.
Because the vulnerability causes misleading error messages and obscures the data loss event, it may hinder timely detection and recovery, thereby increasing the risk of non-compliance with requirements for data protection, auditability, and incident response.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the behavior of the rm utility from uutils coreutils when deleting the current directory using paths with trailing slashes.
Specifically, running the command `rm -rf ./` in a controlled environment can reveal the issue if it results in the recursive deletion of the current directory contents while outputting an 'Invalid input' error message.
This differs from the expected behavior of GNU rm, which refuses to delete the current directory and reports an error without deleting any files.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using the rm command with paths that include trailing slashes referring to the current directory, such as rm -rf ./ or variants like rm -rf .///.
Instead, use explicit paths without trailing slashes or use alternative safe deletion methods until a patch or fix is applied.
Be cautious of misleading error messages from the rm utility that may indicate failure but actually result in data deletion.
Monitor for updates or patches from the uutils coreutils project and apply them promptly once available.