GHSA-7cr3-h577-g38j
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode)
Details
The `--preserve-root` check uses a path-string test (`path.has_root() && path.parent().is_none()`) rather than comparing device/inode. A symlink to `/` (e.g. `/tmp/rootlink -> /`) has a parent component, so it passes the check. GNU caches `/`'s dev/inode at startup and compares every traversed directory against it.
**Impact:** `rm -rf --preserve-root` on a path that resolves through a symlink to `/` bypasses protection and can delete system directories. Recommendation: compare each entered directory's dev/inode against cached `/`.
**Remediation:** Acknowledged by Canonical; fixed in commit 5e5968cd.
--- _Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`. Finding 3.44. Credit: Zellic._
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 0.7.0 Upgrade uu_rm to 0.7.0 or newer (ecosystem crates.io).
References
- https://github.com/uutils/coreutils/security/advisories/GHSA-7cr3-h577-g38j [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-35349 [ADVISORY]
- https://github.com/uutils/coreutils/pull/9706 [WEB]
- https://github.com/uutils/coreutils/commit/5e5968cdbc6618acd6c2402a8a98b503f278835e [WEB]
- https://github.com/uutils/coreutils [PACKAGE]
- https://github.com/uutils/coreutils/releases/tag/0.7.0 [WEB]