Dear GNU Coreutils Maintainers, I am reporting a DoS vulnerability I discovered in GNU Coreutils ls.
Vulnerability Details: A specific long sequence of command-line flags causes ls to enter a pathological state, resulting in uncontrolled output, excessive CPU consumption, and terminal flooding. The program does not terminate normally and must be killed manually. Proof of Concept: ls -lsZXx1vUutSsRrQqpoNnmLkIiHhGgFfDdCcBbAa Expected behavior: ls should either reject invalid flag combinations with a usage error, ignore unrecognized or redundant flags and list directory contents normally, or at minimum terminate within a reasonable time frame. Observed behavior: When executed with the above flags, ls does not list directory contents as expected. Instead, the terminal floods with continuous unbounded output including memory addresses and system paths. CPU usage spikes significantly, and the process does not terminate unless killed manually with Ctrl+C or SIGKILL. Affected Versions: GNU coreutils 9.10 (latest from Debian) Packaged by Debian (9.10-1) Linux: Kali Linux 2026.1 (x86_64) Additional Notes: This vulnerability allows local users to cause resource exhaustion (CPU, terminal flooding, log saturation) using only the trusted ls binary. No special privileges are required. This is a Living-Off-the-Land (LotL) attack vector that may evade traditional detection methods. Please let me know if you require additional details or if this is a known issue that has already been addressed. Thank you for your work on coreutils. Respectfully, Kaizen - Muhammad Abdullah Khan (Independent researcher)
