VDB
KO
MEDIUM 6.7

GHSA-7cr3-h577-g38j

rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode)

Details

The `--preserve-root` check uses a path-string test (`path.has_root() && path.parent().is_none()`) rather than comparing device/inode. A symlink to `/` (e.g. `/tmp/rootlink -> /`) has a parent component, so it passes the check. GNU caches `/`'s dev/inode at startup and compares every traversed directory against it.

**Impact:** `rm -rf --preserve-root` on a path that resolves through a symlink to `/` bypasses protection and can delete system directories. Recommendation: compare each entered directory's dev/inode against cached `/`.

**Remediation:** Acknowledged by Canonical; fixed in commit 5e5968cd.

--- _Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`. Finding 3.44. Credit: Zellic._

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / uu_rm
Introduced in: 0 Fixed in: 0.7.0

Upgrade uu_rm to 0.7.0 or newer (ecosystem crates.io).

References