Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35363

CVE-2026-35363: uutils Coreutils Path Traversal Flaw

CVE-2026-35363 is a path traversal vulnerability in uutils coreutils that bypasses safeguards, allowing rm -rf ./ to delete directory contents silently. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-35363 Overview

A path traversal vulnerability exists in the rm utility of uutils coreutils that allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading "Invalid input" error, which may cause users to miss the critical window for data recovery.

Critical Impact

Silent recursive deletion of current directory contents with misleading error messages, potentially causing significant data loss before users recognize the issue.

Affected Products

  • uutils coreutils (versions with vulnerable rm implementation)

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-35363 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35363

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The core issue lies in insufficient path normalization within the rm utility's protection logic. The safeguard mechanism was designed to prevent users from accidentally deleting the current directory (.) or parent directory (..), but the implementation fails to account for semantically equivalent path representations.

When a user executes rm -rf ./, the utility does not recognize that ./ refers to the same location as .. This incomplete validation allows the recursive deletion operation to proceed, removing all files and subdirectories within the current working directory. The vulnerability is particularly dangerous because the misleading "Invalid input" error message provides no indication of the actual data destruction that has occurred.

The local attack vector requires user interaction, as the command must be executed either accidentally by a user or through social engineering. However, the potential for data loss is significant, especially in development or production environments where critical files may be permanently deleted.

Root Cause

The root cause is an incomplete path canonicalization check in the rm utility's safeguard mechanism. The protection logic performs a simple string comparison against . and .. but does not normalize paths to handle trailing slashes or other equivalent path representations such as ./, .//, or .///. This oversight creates a gap between the intended security behavior and the actual implementation.

Attack Vector

The vulnerability requires local access and user interaction. An attacker could exploit this flaw through several scenarios:

  1. Social Engineering: Tricking a user into executing a seemingly harmless command that includes the ./ pattern
  2. Script Injection: Modifying scripts or automation tools to include the vulnerable command pattern
  3. Accidental Execution: Users typing rm -rf ./ instead of a specific path, expecting the safeguard to prevent directory deletion

The misleading error message compounds the attack by delaying the victim's recognition of the data loss, reducing the window for potential recovery actions such as restoring from backups or stopping the deletion process.

Detection Methods for CVE-2026-35363

Indicators of Compromise

  • Unexpected disappearance of files and directories in working directories
  • Shell history entries containing rm -rf ./ or similar patterns with trailing slashes
  • Process logs showing rm operations with unusual path patterns like ./// or ././

Detection Strategies

  • Monitor for rm command execution with arguments matching patterns like ./, .//, or similar trailing slash variations
  • Implement file integrity monitoring on critical directories to detect unexpected mass deletions
  • Review shell history and audit logs for suspicious rm command patterns

Monitoring Recommendations

  • Enable command-line auditing on systems running uutils coreutils
  • Configure alerts for large-scale file deletion events in monitored directories
  • Implement backup verification processes to ensure recovery capability

How to Mitigate CVE-2026-35363

Immediate Actions Required

  • Review and update uutils coreutils installations to the latest version once a patch is available
  • Educate users about the vulnerability and the dangerous command patterns to avoid
  • Consider implementing shell aliases or wrapper scripts that add additional path validation

Patch Information

A patch addressing this vulnerability is being tracked in the GitHub Issue Discussion. Users should monitor this issue for updates on the official fix and upgrade their installations when a patched version becomes available.

Workarounds

  • Use absolute paths instead of relative paths with trailing slashes when executing rm commands
  • Implement a shell alias for rm that validates input paths before execution
  • Configure restricted shells or permission controls to limit rm -rf usage in sensitive directories
bash
# Workaround: Shell alias to validate rm commands
# Add to .bashrc or .zshrc to warn about dangerous patterns
alias rm='_safe_rm() { 
  for arg in "$@"; do 
    case "$arg" in 
      ./*|../*) echo "Warning: Potentially dangerous path pattern detected"; return 1 ;; 
    esac; 
  done; 
  command rm "$@"; 
}; _safe_rm'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.