CVE-2026-35349 - Vulnerability Details

- uutils coreutils Path-Based Safety Bypass with --preserve-root

Description

A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.

Published: 2026-04-22

Score: 6.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw exists in the rm command of uutils coreutils. The program verifies the presence of / when the user supplies the --preserve-root flag by inspecting the path string instead of checking the underlying device and inode numbers. If a symbolic link that points to / is supplied, the check passes and the command proceeds to remove files normally. An attacker or accidental user can trigger the dangerous behavior by providing such a link, causing rm to delete the entire root filesystem recursively.

Affected Systems

The vulnerability affects the uutils coreutils package, specifically the rm utility in releases prior to v0.7.0. Any systems that rely on the uutils coreutils binary and have not applied the patch in the 0.7.0 release are potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity and the attack likely requires local execution with elevated privileges, as removing the root filesystem requires root or similar rights. The EPSS score of < 1% indicates a very low but non‑zero probability of exploitation, and the vulnerability is not listed in CISA's KEV catalogue, but its impact remains substantial because a single mistaken invocation can cause catastrophic data loss. Updating to a patched version negates the problem and removes the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.7.0

Configuration 1 [-]

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

No data.

Vendor Product Confidence Versions

Uutils

Coreutils

100%

Version	Status	Scheme	Platform
`[0,0.7.0)`	affected	semver	['linux', 'unix', 'macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update uutils coreutils to version 0.7.0 or newer where the root safety check compares device and inode numbers.
Limit the use of rm with --preserve-root to privileged users only; enforce this through file permissions or sudoers restrictions.
Audit scripts and automation tools that might invoke rm and replace any hazardous uses of symbolic links pointing to root with safer alternatives or remove the links entirely.

Generated by OpenCVE AI on April 28, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v762-x3cf-5mfg	uutils coreutils has a Link Following Issue Via rm Utility

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/9706
https://github.com/uutils/coreutils/releases/tag/0.7.0

History

Mon, 27 Apr 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uutils Uutils coreutils
CPEs		cpe:2.3:a:uutils:coreutils::::::rust::*
Vendors & Products		Uutils Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.
Title		uutils coreutils Path-Based Safety Bypass with --preserve-root
Weaknesses		CWE-59
References		https://github.com/uutils/coreutils/pull/9706 https://github.com/uutils/coreutils/releases/tag/0.7.0
Metrics		cvssV3_1 `{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Uutils Coreutils

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:07:59.808Z

Updated: 2026-04-22T18:05:13.169Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35349

Vulnrichment

Updated: 2026-04-22T18:05:04.439Z

NVD

Status : Analyzed

Published: 2026-04-22T17:16:37.190

Modified: 2026-04-27T12:28:17.903

Link: CVE-2026-35349

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses

CWE-59

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object