Skip to content

mv: symlinks expanded during cross-device move (resource exhaustion / data duplication)

High
sylvestre published GHSA-h444-6j9x-p8vh May 30, 2026

Package

cargo uu_mv (Rust)

Affected versions

< 0.7.0

Patched versions

0.7.0

Description

When moving directories across filesystems, uutils mv dereferences symlinks inside the tree, copying their targets as real files/dirs instead of preserving the symlinks. GNU preserves symlinks by default. E.g. a etc_link -> /etc inside the source becomes a full copy of /etc at the destination.

Impact: (1) resource exhaustion — a small tree can expand into a huge copy (time/disk DoS); (2) unintended duplication of sensitive paths referenced by symlink; (3) symlink-loop amplification causing deep recursion. Recommendation: in cross-device fallback, detect symlinks via symlink_metadata() and recreate with read_link()/symlink(); add loop detection.

Remediation: Acknowledged by Canonical; fixed in commit 9654e4a.


Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.63. Credit: Zellic.

Severity

High

CVE ID

CVE-2026-35365

Weaknesses

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Learn more on MITRE.

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource. Learn more on MITRE.