Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35349

CVE-2026-35349: uutils coreutils Auth Bypass Vulnerability

CVE-2026-35349 is an authentication bypass flaw in uutils coreutils rm utility that allows attackers to circumvent --preserve-root protection via symbolic links. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-35349 Overview

A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection mechanism. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.

Critical Impact

This vulnerability enables complete filesystem destruction through symbolic link manipulation, bypassing the safety mechanism designed to prevent accidental deletion of the root directory.

Affected Products

  • uutils coreutils versions prior to 0.7.0

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-35349 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35349

Vulnerability Analysis

This vulnerability (CWE-59: Improper Link Resolution Before File Access) exists in the rm utility's --preserve-root implementation within uutils coreutils. The --preserve-root option is a critical safety mechanism designed to prevent users from accidentally deleting the entire filesystem by running commands like rm -rf /.

The fundamental flaw lies in how the utility identifies the root directory. Instead of using reliable filesystem metadata such as device ID and inode numbers to uniquely identify the root directory, the implementation performs a simple string comparison on the path argument. This approach fails to account for symbolic links that resolve to the root directory.

When a user creates a symbolic link pointing to / (for example, ln -s / /tmp/rootlink) and then attempts to recursively delete that link's target, the --preserve-root check only examines the literal path string /tmp/rootlink rather than resolving where it actually points. Since the string /tmp/rootlink does not match /, the protection is bypassed, and the recursive deletion proceeds against the actual root filesystem.

Root Cause

The root cause is an improper link resolution check (CWE-59) in the path validation logic. The --preserve-root implementation compares the provided path string directly rather than resolving symbolic links and comparing the underlying device and inode numbers. This string-based approach is fundamentally insecure because symbolic links can point anywhere on the filesystem, allowing adversaries or careless users to circumvent path-based restrictions.

Attack Vector

This is a local attack vector requiring direct system access or command execution capabilities. An attacker with the ability to execute commands on a target system can:

  1. Create a symbolic link pointing to the root directory (e.g., ln -s / /tmp/rootlink)
  2. Execute rm -rf /tmp/rootlink with sufficient privileges
  3. The --preserve-root check fails to detect that the operation targets the root filesystem
  4. The entire root filesystem is recursively deleted, resulting in complete system destruction

The attack is particularly dangerous because it exploits a safety mechanism that users and administrators may trust to prevent catastrophic mistakes. This vulnerability requires no authentication bypass but does require local access or command injection capabilities.

Detection Methods for CVE-2026-35349

Indicators of Compromise

  • Presence of symbolic links in temporary directories (e.g., /tmp, /var/tmp) pointing to the root directory /
  • Unexpected filesystem damage or missing critical system files
  • Process monitoring showing rm commands targeting unusual symbolic links with recursive flags

Detection Strategies

  • Monitor for symbolic link creation events pointing to the root directory using file integrity monitoring tools
  • Implement auditd rules to log all rm command executions with recursive flags (-r, -rf, --recursive)
  • Deploy endpoint detection to alert on suspicious symbolic link patterns in temporary directories

Monitoring Recommendations

  • Enable filesystem auditing on critical directories to detect unexpected bulk deletions
  • Configure SIEM alerts for unusual rm command patterns or symbolic link manipulation
  • Implement real-time file integrity monitoring on critical system paths

How to Mitigate CVE-2026-35349

Immediate Actions Required

  • Upgrade uutils coreutils to version 0.7.0 or later immediately
  • Audit systems for any suspicious symbolic links pointing to the root directory
  • Restrict rm command usage through privilege controls where possible
  • Consider implementing additional safeguards such as safe-rm wrappers

Patch Information

The vulnerability has been addressed in uutils coreutils version 0.7.0. The fix implements proper device and inode comparison instead of simple path string matching. For technical details on the fix, see the GitHub Pull Request for Coreutils. The patched release is available at GitHub Coreutils Release 0.7.0.

Workarounds

  • Use the --one-file-system flag with rm commands to prevent crossing filesystem boundaries
  • Implement wrapper scripts that resolve symbolic links before executing destructive operations
  • Restrict write access to temporary directories where symbolic links could be maliciously created
  • Consider using GNU coreutils instead of uutils coreutils until patching is completed
bash
# Configuration example - Verify symlink targets before rm operations
# Check if a path resolves to root before allowing deletion
target=$(readlink -f "$1")
if [ "$target" = "/" ]; then
    echo "Error: Target resolves to root filesystem. Aborting."
    exit 1
fi

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.