CVE-2022-21658

HIGH

Rust 1.0.0-1.58.0 - Time-of-check Time-of-use Race Condition in std::fs::remove_dir_all

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-21658. PoCs published by sagittarius-a.

AI-analyzed exploit summary This PoC demonstrates a TOCTOU (Time-of-Check to Time-of-Use) vulnerability in Rust's std::fs::remove_dir_all() function, allowing an attacker to delete sensitive files by exploiting a race condition. The exploit involves rapidly replacing a directory with a symlink to trick the function into deleting unintended files.

Description

Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.

Exploits (1)

nomisec WORKING POC 2 stars
by sagittarius-a · poc
https://github.com/sagittarius-a/cve-2022-21658

This PoC demonstrates a TOCTOU (Time-of-Check to Time-of-Use) vulnerability in Rust's std::fs::remove_dir_all() function, allowing an attacker to delete sensitive files by exploiting a race condition. The exploit involves rapidly replacing a directory with a symlink to trick the function into deleting unintended files.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Racy
Target: Rust standard library (std::fs::remove_dir_all) prior to fix
No auth needed
Prerequisites: Access to the target system · Ability to create symlinks and directories in /tmp
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202210-09
Exploit, Mitigation, Vendor Advisory
https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
Patch, Third Party Advisory
https://github.com/rust-lang/rust/pull/93110

Scores

CVSS v3 7.3
EPSS 0.0138
EPSS Percentile 68.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-363 CWE-367
Status published
Products (8)
apple/ipados < 15.4
apple/iphone_os < 15.4
apple/macos 12.0.0 - 12.3
apple/tvos < 15.4
apple/watchos < 8.5
fedoraproject/fedora 34
fedoraproject/fedora 35
rust-lang/rust 1.0.0 - 1.58.0
Published Jan 20, 2022
Tracked Since Feb 18, 2026