Description

A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.

INFO

Published Date :

2026-04-22T16:07:59.808Z

Last Modified :

2026-04-22T18:05:13.169Z

Source :

canonical
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35349 vulnerability.

Vendors Products
Uutils
  • Coreutils
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35349.

URL Resource
https://github.com/uutils/coreutils/pull/9706 cve-icon cve-icon
https://github.com/uutils/coreutils/releases/tag/0.7.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact