CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-89p7-7cq3-hhr2: rm: 'rm -rf ./' (and ./// variants) silently deletes current directory contents, bypassing dot protection

mediumCVSS 5.6CVE-2026-35363
rm -rf . is correctly refused, but clean_trailing_slashes normalizes ./// to ./ while path_is_current_or_parent_directory only matches ./.. (and /.//..), not ./ or ../. So rm -rf ./ recursively deletes the directory's contents and then prints a misleading cannot remove './': Invalid input. Impact: all files/subdirectories in the current directory are silently deleted; the misleading error makes users miss the recovery window. Recommendation: handle trailing-slash variants in path_is_current_or_parent_directory. Remediation: Acknowledged by Canonical; fixed in commit d0e5af23. _Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.60. Credit: Zellic._ _Upstream tracking issue: https://github.com/uutils/coreutils/issues/9749 · CVE-2026-35363_

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.6
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-89p7-7cq3-hhr2

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-35363coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories