VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 20, 2022· Updated Apr 22, 2025

Race condition in std::fs::remove_dir_all in rustlang

CVE-2022-21658

Description

A race condition in Rust's std::fs::remove_dir_all allows symlink following, enabling privileged programs to delete files they shouldn't access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in Rust's std::fs::remove_dir_all allows symlink following, enabling privileged programs to delete files they shouldn't access.

Vulnerability

The std::fs::remove_dir_all function in the Rust standard library is vulnerable to a race condition (CWE-363) that enables symlink following. Affected versions are Rust 1.0.0 through 1.58.0. The vulnerability is patched in Rust 1.58.1. Note that build targets on macOS before version 10.10 (Yosemite) and REDOX remain vulnerable even with a patched toolchain because they lack usable APIs to properly mitigate the attack.

Exploitation

An attacker must be able to create symlinks and have a privileged program (e.g., a system daemon or setuid binary) call remove_dir_all on a directory under the attacker's control. During the race window, the attacker can replace a directory entry with a symlink to a target file or directory, causing the privileged program to delete that target.

Impact

Successful exploitation allows an attacker to delete files and directories that they would not otherwise have access to or be able to delete. This can lead to denial of service or privilege escalation, depending on the context in which the vulnerable function is used.

Mitigation

Update to Rust 1.58.1 or later, which contains the fix. For macOS before 10.10 and REDOX, no effective mitigation is available. Adding manual checks before calling remove_dir_all is ineffective because those checks are themselves subject to the same race condition.

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

55

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `std::fs::remove_dir_all` function is vulnerable to a race condition that allows symlink following."

Attack vector

An attacker can exploit this vulnerability by creating a symbolic link that points to a file or directory the attacker does not have permission to delete. When a privileged program calls `std::fs::remove_dir_all` on a directory containing this symlink, the function may follow the symlink and delete the target file or directory, even if the attacker lacks the necessary permissions for direct deletion. This is particularly risky for programs running in privileged contexts [ref_id=1].

Affected code

The vulnerability resides within the `std::fs::remove_dir_all` function in the Rust standard library. The provided patch modifies the implementation of `remove_dir_all` to include additional checks that prevent the race condition [ref_id=1, ref_id=2].

What the fix does

The patch introduces checks to ensure that the operation is performed on a directory and not a symbolic link, mitigating the race condition that allowed symlink following. By verifying the file type before proceeding with the deletion, the vulnerability is addressed, preventing unintended file deletions via symlinks [ref_id=1]. The advisory recommends updating to Rust 1.58.1 to incorporate this fix.

Preconditions

  • inputThe attacker must be able to create a symbolic link within a directory that will be processed by `std::fs::remove_dir_all`.
  • authThe target program calling `std::fs::remove_dir_all` must have sufficient privileges to delete the file or directory pointed to by the symbolic link.

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

15

News mentions

0

No linked articles in our index yet.