CVE-2022-21658: CWE-363: Race Condition Enabling Link Following in rust-lang rust
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
AI Analysis
Technical Summary
CVE-2022-21658 is a race condition vulnerability identified in the Rust programming language's standard library function std::fs::remove_dir_all, which is used to recursively delete directories. The vulnerability arises from a Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367) that enables symlink following (CWE-363). Specifically, an attacker can exploit this flaw by manipulating symbolic links during the execution of remove_dir_all, causing a privileged program to delete files or directories that the attacker normally would not have permission to access or remove. This can lead to unauthorized deletion of critical files, potentially impacting system integrity and availability. The vulnerability affects Rust versions from 1.0.0 up to and including 1.58.0. The issue was patched in Rust 1.58.1. However, certain build targets such as macOS versions prior to 10.10 (Yosemite) and the REDOX operating system lack APIs that can properly mitigate this attack, leaving them vulnerable even with the patched Rust toolchain. Importantly, adding pre-checks in application code before calling remove_dir_all does not mitigate the vulnerability, as these checks themselves are susceptible to similar race conditions. The vulnerability is particularly critical for programs running with elevated privileges, such as system daemons and setuid binaries, where exploitation could lead to significant unauthorized file system modifications. No known exploits have been reported in the wild to date, but the potential for abuse remains significant given the nature of the vulnerability and its impact on privileged operations.
Potential Impact
For European organizations, the impact of CVE-2022-21658 can be substantial, especially for those relying on Rust-based applications or system components running with elevated privileges. Exploitation could allow attackers to delete critical system or application files, leading to denial of service, data loss, or disruption of essential services. This is particularly concerning for sectors such as finance, healthcare, telecommunications, and critical infrastructure, where system availability and data integrity are paramount. Organizations using Rust in privileged contexts (e.g., system daemons, setuid binaries) are at higher risk. The vulnerability could be leveraged to bypass access controls and compromise system stability, potentially facilitating further attacks or persistence mechanisms. Given that some platforms (notably older macOS versions and REDOX) remain vulnerable even after patching, organizations using these environments face prolonged exposure. The absence of known exploits suggests limited active targeting, but the ease of exploitation via race conditions and the widespread adoption of Rust in modern software development underscore the need for vigilance. Overall, the threat could lead to operational disruptions, increased incident response costs, and reputational damage if exploited.
Mitigation Recommendations
1. Immediate upgrade to Rust version 1.58.1 or later is essential for all development and production environments using Rust, especially those running privileged code. 2. For environments where upgrading Rust is not feasible or where the underlying OS is macOS prior to 10.10 or REDOX, consider isolating or sandboxing affected applications to limit potential damage from unauthorized deletions. 3. Avoid using std::fs::remove_dir_all in privileged contexts unless absolutely necessary; if removal of directories is required, consider implementing alternative deletion mechanisms that do not rely on vulnerable APIs or that use atomic operations where possible. 4. Conduct thorough code audits to identify usage of remove_dir_all in privileged or sensitive applications and prioritize remediation. 5. Implement robust monitoring of file system changes and deletion events, particularly for critical directories, to detect suspicious activity indicative of exploitation attempts. 6. Employ mandatory access controls (e.g., SELinux, AppArmor) to restrict the ability of processes to delete sensitive files, adding an additional layer of defense. 7. Educate developers about the risks of TOCTOU race conditions and the limitations of pre-checks in mitigating such vulnerabilities, promoting secure coding practices that avoid unsafe file system operations. 8. For organizations using older macOS versions, plan and execute OS upgrades to supported versions that provide necessary API protections against this vulnerability. 9. Maintain an incident response plan that includes scenarios involving unauthorized file deletions to ensure rapid containment and recovery.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Poland, Italy, Spain
CVE-2022-21658: CWE-363: Race Condition Enabling Link Following in rust-lang rust
Description
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
AI-Powered Analysis
Technical Analysis
CVE-2022-21658 is a race condition vulnerability identified in the Rust programming language's standard library function std::fs::remove_dir_all, which is used to recursively delete directories. The vulnerability arises from a Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367) that enables symlink following (CWE-363). Specifically, an attacker can exploit this flaw by manipulating symbolic links during the execution of remove_dir_all, causing a privileged program to delete files or directories that the attacker normally would not have permission to access or remove. This can lead to unauthorized deletion of critical files, potentially impacting system integrity and availability. The vulnerability affects Rust versions from 1.0.0 up to and including 1.58.0. The issue was patched in Rust 1.58.1. However, certain build targets such as macOS versions prior to 10.10 (Yosemite) and the REDOX operating system lack APIs that can properly mitigate this attack, leaving them vulnerable even with the patched Rust toolchain. Importantly, adding pre-checks in application code before calling remove_dir_all does not mitigate the vulnerability, as these checks themselves are susceptible to similar race conditions. The vulnerability is particularly critical for programs running with elevated privileges, such as system daemons and setuid binaries, where exploitation could lead to significant unauthorized file system modifications. No known exploits have been reported in the wild to date, but the potential for abuse remains significant given the nature of the vulnerability and its impact on privileged operations.
Potential Impact
For European organizations, the impact of CVE-2022-21658 can be substantial, especially for those relying on Rust-based applications or system components running with elevated privileges. Exploitation could allow attackers to delete critical system or application files, leading to denial of service, data loss, or disruption of essential services. This is particularly concerning for sectors such as finance, healthcare, telecommunications, and critical infrastructure, where system availability and data integrity are paramount. Organizations using Rust in privileged contexts (e.g., system daemons, setuid binaries) are at higher risk. The vulnerability could be leveraged to bypass access controls and compromise system stability, potentially facilitating further attacks or persistence mechanisms. Given that some platforms (notably older macOS versions and REDOX) remain vulnerable even after patching, organizations using these environments face prolonged exposure. The absence of known exploits suggests limited active targeting, but the ease of exploitation via race conditions and the widespread adoption of Rust in modern software development underscore the need for vigilance. Overall, the threat could lead to operational disruptions, increased incident response costs, and reputational damage if exploited.
Mitigation Recommendations
1. Immediate upgrade to Rust version 1.58.1 or later is essential for all development and production environments using Rust, especially those running privileged code. 2. For environments where upgrading Rust is not feasible or where the underlying OS is macOS prior to 10.10 or REDOX, consider isolating or sandboxing affected applications to limit potential damage from unauthorized deletions. 3. Avoid using std::fs::remove_dir_all in privileged contexts unless absolutely necessary; if removal of directories is required, consider implementing alternative deletion mechanisms that do not rely on vulnerable APIs or that use atomic operations where possible. 4. Conduct thorough code audits to identify usage of remove_dir_all in privileged or sensitive applications and prioritize remediation. 5. Implement robust monitoring of file system changes and deletion events, particularly for critical directories, to detect suspicious activity indicative of exploitation attempts. 6. Employ mandatory access controls (e.g., SELinux, AppArmor) to restrict the ability of processes to delete sensitive files, adding an additional layer of defense. 7. Educate developers about the risks of TOCTOU race conditions and the limitations of pre-checks in mitigating such vulnerabilities, promoting secure coding practices that avoid unsafe file system operations. 8. For organizations using older macOS versions, plan and execute OS upgrades to supported versions that provide necessary API protections against this vulnerability. 9. Maintain an incident response plan that includes scenarios involving unauthorized file deletions to ensure rapid containment and recovery.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2021-11-16T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9848c4522896dcbf6111
Added to database: 5/21/2025, 9:09:28 AM
Last enriched: 6/22/2025, 4:21:12 AM
Last updated: 8/4/2025, 4:27:54 PM
Views: 16
Related Threats
CVE-2025-8991: Business Logic Errors in linlinjava litemall
MediumCVE-2025-8990: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-8940: Buffer Overflow in Tenda AC20
HighCVE-2025-8939: Buffer Overflow in Tenda AC20
HighCVE-2025-50518: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.