CVE-2022-21658

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-21658
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-01-20 18:15:00 UTC
Updated2023-11-07 03:43:00 UTC
DescriptionRust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.

Risk And Classification

Problem Types: CWE-363 | CWE-367

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Apple Ipados All All All All
Operating System Apple Iphone Os All All All All
Operating System Apple Macos All All All All
Operating System Apple Tvos All All All All
Operating System Apple Watchos All All All All
Operating System Fedoraproject Fedora 34 All All All
Operating System Fedoraproject Fedora 35 All All All
Application Rust-lang Rust All All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 34 Update: rust-afterburn-5.2.0-4.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 34 Update: rust-1.58.1-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo security GENTOO security.gentoo.org
[SECURITY] Fedora 35 Update: rust-1.58.1-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 34 Update: rust-1.58.1-1.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHub MISC github.com
[SECURITY] Fedora 35 Update: rust-afterburn-5.2.0-4.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 35 Update: rust-afterburn-5.2.0-4.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
About the security content of watchOS 8.5 - Apple Support CONFIRM support.apple.com
Security advisory for the standard library (CVE-2022-21658) | Rust Blog MISC blog.rust-lang.org
[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHub MISC github.com
About the security content of tvOS 15.4 - Apple Support CONFIRM support.apple.com
[SECURITY] Fedora 35 Update: rust-1.58.1-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Race condition in std::fs::remove_dir_all · Advisory · rust-lang/rust · GitHub CONFIRM github.com
[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHub MISC github.com
About the security content of iOS 15.4 and iPadOS 15.4 - Apple Support CONFIRM support.apple.com
[SECURITY] Fedora 34 Update: rust-afterburn-5.2.0-4.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHub MISC github.com
About the security content of macOS Monterey 12.3 - Apple Support (PH) CONFIRM support.apple.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159842 Oracle Enterprise Linux Security Update for rust-toolset:ol8 (ELSA-2022-1894)
  • 184303 Debian Security Update for rustc (CVE-2022-21658)
  • 240316 Red Hat Update for rust-toolset:rhel8 security (RHSA-2022:1894)
  • 282280 Fedora Security Update for rust (FEDORA-2022-2c73789458)
  • 282281 Fedora Security Update for rust (FEDORA-2022-1bafa3fc91)
  • 282301 Fedora Security Update for rust (FEDORA-2022-c4071e3dc7)
  • 282328 Fedora Security Update for rust (FEDORA-2022-7ec8bda833)
  • 282351 Fedora Security Update for rust (FEDORA-2022-1b76e3a192)
  • 282381 Fedora Security Update for rust (FEDORA-2022-06569a0a60)
  • 353978 Amazon Linux Security Advisory for rust : ALAS2-2022-1817
  • 6140317 AWS Bottlerocket Security Update for libstd-rust (GHSA-gvh9-whw5-fc42)
  • 690782 Free Berkeley Software Distribution (FreeBSD) Security Update for rust (ee26f513-826e-11ec-8be6-d4c9ef517024)
  • 710640 Gentoo Linux Rust Multiple Vulnerabilities (GLSA 202210-09)
  • 751637 OpenSUSE Security Update for rust1.56 (openSUSE-SU-2022:0149-1)
  • 751655 SUSE Enterprise Linux Security Update for rust (SUSE-SU-2022:0200-1)
  • 751663 OpenSUSE Security Update for rust1.55 (openSUSE-SU-2022:0171-1)
  • 751665 OpenSUSE Security Update for rust1.57 (openSUSE-SU-2022:0175-1)
  • 751722 SUSE Enterprise Linux Security Update for rust (SUSE-SU-2022:0491-1)
  • 751747 OpenSUSE Security Update for rust (openSUSE-SU-2022:0491-1)
  • 751889 OpenSUSE Security Update for rust, rust1.58, rust1.59 (openSUSE-SU-2022:0843-1)
  • 753084 SUSE Enterprise Linux Security Update for rust, rust1.58, rust1.59 (SUSE-SU-2022:0843-1)
  • 753290 SUSE Enterprise Linux Security Update for rust1.57 (SUSE-SU-2022:0175-1)
  • 753341 SUSE Enterprise Linux Security Update for rust1.55 (SUSE-SU-2022:0171-1)
  • 753472 SUSE Enterprise Linux Security Update for rust1.56 (SUSE-SU-2022:0149-1)
  • 900620 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (8333)
  • 901744 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (8337-1)
  • 940513 AlmaLinux Security Update for rust-toolset:rhel8 (ALSA-2022:1894)
  • 960308 Rocky Linux Security Update for rust-toolset:rhel8 (RLSA-2022:1894)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report