rm -rf . is correctly refused, but clean_trailing_slashes normalizes ./// to ./ while path_is_current_or_parent_directory only matches ./.. (and /.//..), not ./ or ../. So rm -rf ./ recursively deletes the directory's contents and then prints a misleading cannot remove './': Invalid input.
Impact: all files/subdirectories in the current directory are silently deleted; the misleading error makes users miss the recovery window. Recommendation: handle trailing-slash variants in path_is_current_or_parent_directory.
Remediation: Acknowledged by Canonical; fixed in commit d0e5af23.
Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.60. Credit: Zellic.
Upstream tracking issue: uutils/coreutils#9749 · CVE-2026-35363
References
rm -rf .is correctly refused, butclean_trailing_slashesnormalizes.///to./whilepath_is_current_or_parent_directoryonly matches./..(and/.//..), not./or../. Sorm -rf ./recursively deletes the directory's contents and then prints a misleadingcannot remove './': Invalid input.Impact: all files/subdirectories in the current directory are silently deleted; the misleading error makes users miss the recovery window. Recommendation: handle trailing-slash variants in
path_is_current_or_parent_directory.Remediation: Acknowledged by Canonical; fixed in commit d0e5af23.
Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit
3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.60. Credit: Zellic.Upstream tracking issue: uutils/coreutils#9749 · CVE-2026-35363
References