Intel

AIKIDO-2026-955831

trash is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

25

Low Risk

This Affects:

RUSTtrash
2.0.0 - 5.2.5
Fixed in 5.2.6
Are you affected? Scan for Free

TL;DR

The FreeDesktop trash implementation in src/freedesktop.rs uses assert!(virtually_exists(...)) in metadata() and restore_all() to check that the file referenced by a .trashinfo entry still exists in trash/files. When an orphaned or malformed .trashinfo entry points to a missing target, the assertion fails and the library panics instead of returning an error, aborting the calling process. An attacker who can place or influence trash entries can crash any application that reads metadata for or restores trash items, such as a file manager. The fix replaces the assertions with ensure_virtually_exists(), which returns an Error::FileSystem NotFound error so callers can handle the missing file gracefully.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application runs on a FreeDesktop (Linux) environment and calls the trash metadata or restore APIs on trash contents you do not fully control.

Background info

trash is vulnerable to Denial of Service (DoS) in versions 2.0.0 - 5.2.5.

How to fix this

Upgrade the trash library to the patch version.