CVE-2022-21658 in Rust
Summary
by MITRE • 01/20/2022
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/27/2026
The vulnerability described in CVE-2022-21658 represents a significant race condition flaw within Rust's standard library implementation of the `std::fs::remove_dir_all` function. This security issue manifests as CWE-363, which specifically addresses the dangerous practice of following symbolic links during file system operations. The flaw enables attackers to exploit temporal inconsistencies in file system access controls by manipulating symbolic links during the execution of the removal operation. The vulnerability affects all versions of Rust from 1.0.0 through 1.58.0, creating a substantial attack surface across a wide range of applications that rely on this fundamental file system operation. The race condition occurs when an attacker can manipulate the file system state between the time when permission checks are performed and when the actual file deletion occurs, allowing unauthorized access to files that should otherwise be protected.
The technical implementation of this vulnerability stems from the way `remove_dir_all` handles symbolic links during recursive directory traversal operations. When the function encounters a symbolic link, it follows the link to determine the target directory structure, but this behavior creates a window where an attacker can substitute a different symbolic link or file structure. The race condition specifically occurs because the function does not maintain consistent state throughout its execution, allowing for manipulation of the file system hierarchy between the initial directory inspection and the actual deletion process. This vulnerability is particularly concerning because it operates at the standard library level, meaning any application using Rust's file system operations is potentially exposed to this attack vector. The flaw is classified under the broader category of race condition vulnerabilities that are documented in the CWE taxonomy as CWE-363, which describes the scenario where a program performs an operation that follows symbolic links without proper safeguards against concurrent modification.
Systems running vulnerable versions of Rust face substantial operational risks, especially those executing in privileged contexts such as system daemons, setuid binaries, and other programs with elevated permissions. The attack scenario involves an attacker creating a symbolic link that points to a protected directory or file, then manipulating the file system structure during the execution of `remove_dir_all` to cause the privileged process to delete unintended targets. This could result in unauthorized data deletion, privilege escalation, or system compromise when the vulnerable application runs with elevated privileges. The impact extends beyond simple file deletion to potentially allow attackers to bypass access controls and modify critical system files or directories that should be protected from modification by unprivileged users. Applications that perform file system cleanup operations or manage temporary directories are particularly at risk since these operations often use `remove_dir_all` and may run with elevated privileges.
The mitigation for this vulnerability requires updating to Rust version 1.58.1 or later, which includes a patch that addresses the race condition in the `std::fs::remove_dir_all` implementation. However, certain platforms remain vulnerable despite the toolchain update, specifically macOS versions before 10.10 (Yosemite) and the REDOX operating system, due to limitations in their underlying file system APIs that prevent proper race condition mitigation. Organizations should prioritize updating their Rust toolchains, particularly those managing applications that operate in privileged contexts, as these systems face the highest risk of exploitation. It is important to note that defensive coding practices implemented within application code, such as pre-removal checks, do not provide adequate protection since these checks are also subject to race conditions and the same temporal inconsistencies that affect the vulnerable function. The patch implemented in version 1.58.1 specifically addresses the root cause by ensuring that symbolic link following operations are performed in a manner that prevents attackers from manipulating the file system state during execution, aligning with the ATT&CK framework's mitigation strategies for privilege escalation and file system manipulation techniques.