Fluid Attacks Database

Description

A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	rust-coreutils	=0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.17-6 \|\| =0.0.19-1 \|\| =0.0.19-2 \|\| =0.0.19-3 \|\| =0.0.20-1 \|\| =0.0.21-1 \|\| =0.0.22-1 \|\| =0.0.23-1 \|\| =0.0.23-2 \|\| =0.0.23-3 \|\| =0.0.24-1 \|\| =0.0.24-2 \|\| =0.0.26-1 \|\| =0.0.26-2 \|\| =0.0.26-3 \|\| =0.0.26-4 \|\| =0.0.26-5 \|\| =0.0.27-1 \|\| =0.0.27-2 \|\| =0.0.27-3 \|\| =0.0.30-1 \|\| =0.0.30-2 \|\| =0.0.30-3 \|\| =0.0.30-3~exp1 \|\| =0.0.30-4 \|\| =0.6.0-1 \|\| =0.7.0-1	-
debian 13	rust-coreutils	=0.0.30-2 \|\| =0.0.30-3 \|\| =0.0.30-3~exp1 \|\| =0.0.30-4 \|\| =0.6.0-1 \|\| =0.7.0-1	-
cargo	coreutils	>=0 <0.7.0	0.7.0

Aliases

1. CVE-2026-353492. NVD-2026-353493. OSV-DEBIAN-2026-353494. OSV-2026-353495. GCVE-2026-353496. SECURITY-TRACKER-CVE-2026-35349

References

1. https://github.com/uutils/coreutils/pull/97062. https://github.com/uutils/coreutils/commit/5e5968cdbc6618acd6c2402a8a98b503f278835e3. https://github.com/uutils/coreutils/releases/tag/0.7.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.