CVE-2026-35349
Published: 22 April 2026
Summary
CVE-2026-35349 is a medium-severity Link Following (CWE-59) vulnerability in Uutils Coreutils. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses CVE-2026-35349 by requiring timely remediation through patching uutils coreutils to version 0.7.0 or later, fixing the path-string check bypass.
Enables identification of vulnerable uutils coreutils installations via vulnerability scanning, allowing proactive mitigation of the symlink-based root bypass.
Limits damage from exploitation by enforcing least privilege, preventing local users from executing rm with sufficient access to delete the root filesystem via the symlink.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses --preserve-root in the rm utility via symlink (CWE-59), directly enabling recursive deletion of the root filesystem for data destruction and availability impact.
NVD Description
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can…
more
bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.
Deeper analysisAI
CVE-2026-35349 is a vulnerability in the rm utility of uutils coreutils that allows bypassing the --preserve-root protection mechanism. Instead of comparing device and inode numbers to identify the root directory, the implementation relies on a path-string check, enabling attackers or accidental users to circumvent this safeguard using a symbolic link that resolves to the root directory, such as /tmp/rootlink -> /. This flaw, classified under CWE-59 (Improper Link Resolution Before File Access), carries a CVSS v3.1 base score of 6.7 (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H) and was published on 2026-04-22.
Local attackers with no privileges can exploit this vulnerability through a high-complexity attack requiring no user interaction. By crafting a symlink pointing to / and invoking rm with the --preserve-root option on a path involving that link (e.g., rm -rf /tmp/rootlink), the utility fails to recognize the true root destination, potentially resulting in the recursive deletion of the entire root filesystem and causing significant integrity and availability impacts.
Mitigation is addressed in the uutils coreutils GitHub repository via pull request #9706, which fixes the path-string check issue, and is included in the 0.7.0 release available at https://github.com/uutils/coreutils/releases/tag/0.7.0. Security practitioners using uutils coreutils should update to version 0.7.0 or later to patch this vulnerability.
Details
- CWE(s)