CVE-2015-1865 in Coreutils
Summary
by MITRE
fts.c in coreutils 8.4 allows local users to delete arbitrary files.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/07/2025
The vulnerability identified as CVE-2015-1865 resides within the fts.c component of coreutils version 8.4, representing a critical local privilege escalation issue that enables malicious users to delete arbitrary files on a system. This flaw specifically affects the file traversal and search functionality implemented in the coreutils package, which is fundamental to Unix-like operating systems and widely deployed across enterprise and consumer environments. The vulnerability stems from insufficient input validation and improper file handling mechanisms within the fts.c file, which is part of the File System Traversal library used by various core utilities including find and locate commands.
The technical implementation of this vulnerability exploits a race condition and improper permission checking during file operations within the coreutils framework. When a user executes commands that utilize the fts.c functionality, the system fails to properly validate file paths and permissions, allowing an attacker to manipulate the traversal process to target files outside of the intended scope. This occurs because the vulnerability does not adequately sanitize user inputs or enforce proper access controls when processing file system operations, creating an opportunity for path traversal attacks. The flaw operates at the kernel level file system interface where the fts.c module interacts with the underlying file system structures, making it particularly dangerous as it can be leveraged to bypass standard file access controls and delete files that would normally be protected or restricted.
The operational impact of this vulnerability extends beyond simple file deletion, as it represents a fundamental breakdown in the file system security model of affected systems. Attackers can exploit this weakness to remove critical system files, configuration data, or user documents, potentially leading to complete system compromise or data loss. The vulnerability is particularly concerning in multi-user environments where local users could leverage this flaw to delete files owned by other users or system administrators, effectively enabling unauthorized file manipulation across the entire system. This weakness creates a persistent threat vector that can be exploited repeatedly, as the underlying code structure remains unchanged until patched, and the attack surface is broad due to the widespread use of coreutils across Unix-like systems.
Mitigation strategies for CVE-2015-1865 require immediate system updates to patched versions of coreutils, as the vulnerability cannot be effectively addressed through configuration changes alone. Organizations should implement comprehensive patch management procedures to ensure all systems running affected versions of coreutils are updated promptly. The vulnerability aligns with CWE-22 Path Traversal and CWE-73 Path Traversal in coreutils, and maps to ATT&CK techniques including T1059 Command and Scripting Interpreter and T1070 Indicator Removal. System administrators should also implement monitoring for unauthorized file deletion activities and establish proper file system permissions to limit the potential impact of such attacks. Additionally, implementing mandatory access controls and regular security audits can help detect and prevent exploitation attempts, while maintaining up-to-date system logs can aid in forensic analysis should an attack occur. The vulnerability demonstrates the critical importance of proper input validation and access control implementation in system-level utilities that interface directly with file system operations.