CVE-2026-35363 Overview
A path traversal vulnerability exists in the rm utility of uutils coreutils that allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading "Invalid input" error, which may cause users to miss the critical window for data recovery.
Critical Impact
Silent recursive deletion of current directory contents with misleading error messages, potentially causing significant data loss before users recognize the issue.
Affected Products
- uutils coreutils (versions with vulnerable rm implementation)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35363 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35363
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The core issue lies in insufficient path normalization within the rm utility's protection logic. The safeguard mechanism was designed to prevent users from accidentally deleting the current directory (.) or parent directory (..), but the implementation fails to account for semantically equivalent path representations.
When a user executes rm -rf ./, the utility does not recognize that ./ refers to the same location as .. This incomplete validation allows the recursive deletion operation to proceed, removing all files and subdirectories within the current working directory. The vulnerability is particularly dangerous because the misleading "Invalid input" error message provides no indication of the actual data destruction that has occurred.
The local attack vector requires user interaction, as the command must be executed either accidentally by a user or through social engineering. However, the potential for data loss is significant, especially in development or production environments where critical files may be permanently deleted.
Root Cause
The root cause is an incomplete path canonicalization check in the rm utility's safeguard mechanism. The protection logic performs a simple string comparison against . and .. but does not normalize paths to handle trailing slashes or other equivalent path representations such as ./, .//, or .///. This oversight creates a gap between the intended security behavior and the actual implementation.
Attack Vector
The vulnerability requires local access and user interaction. An attacker could exploit this flaw through several scenarios:
- Social Engineering: Tricking a user into executing a seemingly harmless command that includes the ./ pattern
- Script Injection: Modifying scripts or automation tools to include the vulnerable command pattern
- Accidental Execution: Users typing rm -rf ./ instead of a specific path, expecting the safeguard to prevent directory deletion
The misleading error message compounds the attack by delaying the victim's recognition of the data loss, reducing the window for potential recovery actions such as restoring from backups or stopping the deletion process.
Detection Methods for CVE-2026-35363
Indicators of Compromise
- Unexpected disappearance of files and directories in working directories
- Shell history entries containing rm -rf ./ or similar patterns with trailing slashes
- Process logs showing rm operations with unusual path patterns like ./// or ././
Detection Strategies
- Monitor for rm command execution with arguments matching patterns like ./, .//, or similar trailing slash variations
- Implement file integrity monitoring on critical directories to detect unexpected mass deletions
- Review shell history and audit logs for suspicious rm command patterns
Monitoring Recommendations
- Enable command-line auditing on systems running uutils coreutils
- Configure alerts for large-scale file deletion events in monitored directories
- Implement backup verification processes to ensure recovery capability
How to Mitigate CVE-2026-35363
Immediate Actions Required
- Review and update uutils coreutils installations to the latest version once a patch is available
- Educate users about the vulnerability and the dangerous command patterns to avoid
- Consider implementing shell aliases or wrapper scripts that add additional path validation
Patch Information
A patch addressing this vulnerability is being tracked in the GitHub Issue Discussion. Users should monitor this issue for updates on the official fix and upgrade their installations when a patched version becomes available.
Workarounds
- Use absolute paths instead of relative paths with trailing slashes when executing rm commands
- Implement a shell alias for rm that validates input paths before execution
- Configure restricted shells or permission controls to limit rm -rf usage in sensitive directories
# Workaround: Shell alias to validate rm commands
# Add to .bashrc or .zshrc to warn about dangerous patterns
alias rm='_safe_rm() {
for arg in "$@"; do
case "$arg" in
./*|../*) echo "Warning: Potentially dangerous path pattern detected"; return 1 ;;
esac;
done;
command rm "$@";
}; _safe_rm'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
