Description
A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.
Published: 2026-04-22
Score: 5.6 Medium
EPSS: n/a
KEV: No
Impact: Data loss
Action: Apply Patch
AI Analysis

Impact

The rm utility in Uutils coreutils fails to correctly normalize paths that contain trailing slashes, such as './' or './//'. When a user runs 'rm -rf ./', the command silently deletes all files and subdirectories in the current working directory. The error message printed is misleading, saying 'Invalid input', which can cause the user to ignore the impending loss of data. This flaw is classified as CWE-22, path traversal/validation weaknesses.

Affected Systems

The vulnerability exists in the Uutils coreutils package. All released versions of the rm utility that have not incorporated the fix are affected. No specific version numbers are disclosed in the advisory, so any deployment of the Uutils coreutils binary that includes the unpatched rm command would be vulnerable.

Risk and Exploitability

The CVSS score of 5.6 indicates moderate severity, and the EPSS score is not available, providing no explicit probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. It is exploitable only by a local user who can run the rm command within a directory of interest; the attacker must have write permission to that directory. Because the deletion is recursive and the error message obfuscates file loss, the loss of data can be extensive but requires local execution.

Generated by OpenCVE AI on April 22, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of Uutils coreutils that includes the path normalization fix for the rm command.
  • If an immediate upgrade is unavailable, avoid using rm with a path that resolves to the current directory such as './' or './//'; instead use absolute paths or explicitly delete only the intended files.
  • Implement a wrapper or policy to disallow rm -rf from executing in the current working directory whenever possible, and consider using filesystem immutability flags or configuring sudoers to limit rm usage.

Generated by OpenCVE AI on April 22, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.
Title uutils coreutils rm Safeguard Bypass via Improper Path Normalization
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:24:11.243Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35363

cve-icon Vulnrichment

Updated: 2026-04-22T17:24:08.174Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:39.120

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses