CVE-2026-35349: CWE-59: Improper Link Resolution Before File Access ('Link Following') in Uutils coreutils
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.
AI Analysis
Technical Summary
The vulnerability in uutils coreutils' rm utility (CVE-2026-35349) involves improper link resolution before file access (CWE-59). The --preserve-root option is intended to prevent recursive deletion of the root filesystem, but the implementation relies on checking the path string rather than comparing device and inode numbers. This allows a symbolic link that resolves to the root directory to bypass the protection, leading to potential unintended recursive deletion of the root filesystem. The vulnerability is local attack vector with high impact on integrity and availability, but requires high attack complexity and no privileges or user interaction.
Potential Impact
An attacker or user can bypass the --preserve-root safeguard by using a symbolic link that points to the root directory, which may result in the recursive deletion of the entire root filesystem. This leads to high impact on system integrity and availability. There is no confidentiality impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using the vulnerable version of uutils coreutils or refrain from using the rm utility with symbolic links that could point to the root directory. Monitor vendor channels for updates and apply patches once released.
CVE-2026-35349: CWE-59: Improper Link Resolution Before File Access ('Link Following') in Uutils coreutils
Description
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in uutils coreutils' rm utility (CVE-2026-35349) involves improper link resolution before file access (CWE-59). The --preserve-root option is intended to prevent recursive deletion of the root filesystem, but the implementation relies on checking the path string rather than comparing device and inode numbers. This allows a symbolic link that resolves to the root directory to bypass the protection, leading to potential unintended recursive deletion of the root filesystem. The vulnerability is local attack vector with high impact on integrity and availability, but requires high attack complexity and no privileges or user interaction.
Potential Impact
An attacker or user can bypass the --preserve-root safeguard by using a symbolic link that points to the root directory, which may result in the recursive deletion of the entire root filesystem. This leads to high impact on system integrity and availability. There is no confidentiality impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using the vulnerable version of uutils coreutils or refrain from using the rm utility with symbolic links that could point to the root directory. Monitor vendor channels for updates and apply patches once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.087Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d019fe3cd2cdd00c66
Added to database: 4/22/2026, 4:31:12 PM
Last enriched: 4/22/2026, 5:02:28 PM
Last updated: 4/23/2026, 1:09:43 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.