CVE-2026-35349 Overview
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection mechanism. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.
Critical Impact
This vulnerability enables complete filesystem destruction through symbolic link manipulation, bypassing the safety mechanism designed to prevent accidental deletion of the root directory.
Affected Products
- uutils coreutils versions prior to 0.7.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35349 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35349
Vulnerability Analysis
This vulnerability (CWE-59: Improper Link Resolution Before File Access) exists in the rm utility's --preserve-root implementation within uutils coreutils. The --preserve-root option is a critical safety mechanism designed to prevent users from accidentally deleting the entire filesystem by running commands like rm -rf /.
The fundamental flaw lies in how the utility identifies the root directory. Instead of using reliable filesystem metadata such as device ID and inode numbers to uniquely identify the root directory, the implementation performs a simple string comparison on the path argument. This approach fails to account for symbolic links that resolve to the root directory.
When a user creates a symbolic link pointing to / (for example, ln -s / /tmp/rootlink) and then attempts to recursively delete that link's target, the --preserve-root check only examines the literal path string /tmp/rootlink rather than resolving where it actually points. Since the string /tmp/rootlink does not match /, the protection is bypassed, and the recursive deletion proceeds against the actual root filesystem.
Root Cause
The root cause is an improper link resolution check (CWE-59) in the path validation logic. The --preserve-root implementation compares the provided path string directly rather than resolving symbolic links and comparing the underlying device and inode numbers. This string-based approach is fundamentally insecure because symbolic links can point anywhere on the filesystem, allowing adversaries or careless users to circumvent path-based restrictions.
Attack Vector
This is a local attack vector requiring direct system access or command execution capabilities. An attacker with the ability to execute commands on a target system can:
- Create a symbolic link pointing to the root directory (e.g., ln -s / /tmp/rootlink)
- Execute rm -rf /tmp/rootlink with sufficient privileges
- The --preserve-root check fails to detect that the operation targets the root filesystem
- The entire root filesystem is recursively deleted, resulting in complete system destruction
The attack is particularly dangerous because it exploits a safety mechanism that users and administrators may trust to prevent catastrophic mistakes. This vulnerability requires no authentication bypass but does require local access or command injection capabilities.
Detection Methods for CVE-2026-35349
Indicators of Compromise
- Presence of symbolic links in temporary directories (e.g., /tmp, /var/tmp) pointing to the root directory /
- Unexpected filesystem damage or missing critical system files
- Process monitoring showing rm commands targeting unusual symbolic links with recursive flags
Detection Strategies
- Monitor for symbolic link creation events pointing to the root directory using file integrity monitoring tools
- Implement auditd rules to log all rm command executions with recursive flags (-r, -rf, --recursive)
- Deploy endpoint detection to alert on suspicious symbolic link patterns in temporary directories
Monitoring Recommendations
- Enable filesystem auditing on critical directories to detect unexpected bulk deletions
- Configure SIEM alerts for unusual rm command patterns or symbolic link manipulation
- Implement real-time file integrity monitoring on critical system paths
How to Mitigate CVE-2026-35349
Immediate Actions Required
- Upgrade uutils coreutils to version 0.7.0 or later immediately
- Audit systems for any suspicious symbolic links pointing to the root directory
- Restrict rm command usage through privilege controls where possible
- Consider implementing additional safeguards such as safe-rm wrappers
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.7.0. The fix implements proper device and inode comparison instead of simple path string matching. For technical details on the fix, see the GitHub Pull Request for Coreutils. The patched release is available at GitHub Coreutils Release 0.7.0.
Workarounds
- Use the --one-file-system flag with rm commands to prevent crossing filesystem boundaries
- Implement wrapper scripts that resolve symbolic links before executing destructive operations
- Restrict write access to temporary directories where symbolic links could be maliciously created
- Consider using GNU coreutils instead of uutils coreutils until patching is completed
# Configuration example - Verify symlink targets before rm operations
# Check if a path resolves to root before allowing deletion
target=$(readlink -f "$1")
if [ "$target" = "/" ]; then
echo "Error: Target resolves to root filesystem. Aborting."
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
