Muhammad Abdullah Khan Niazi <[email protected]> writes:
> Dear GNU Coreutils Maintainers,
>
> I am reporting a DoS vulnerability I discovered in GNU Coreutils ls.
>
> Vulnerability Details:
> A specific long sequence of command-line flags causes ls to enter a
> pathological state, resulting in uncontrolled output, excessive CPU
> consumption, and terminal flooding. The program does not terminate normally
> and must be killed manually.
>
> Proof of Concept:
>
> ls -lsZXx1vUutSsRrQqpoNnmLkIiHhGgFfDdCcBbAa
>
> Expected behavior:
> ls should either reject invalid flag combinations with a usage error,
> ignore unrecognized or redundant flags and list directory contents
> normally, or at minimum terminate within a reasonable time frame.
>
> Observed behavior:
> When executed with the above flags, ls does not list directory contents as
> expected. Instead, the terminal floods with continuous unbounded output
> including memory addresses and system paths. CPU usage spikes
> significantly, and the process does not terminate unless killed manually
> with Ctrl+C or SIGKILL.
>
> Affected Versions:
> GNU coreutils 9.10 (latest from Debian)
> Packaged by Debian (9.10-1)
> Linux: Kali Linux 2026.1 (x86_64)
>
> Additional Notes:
> This vulnerability allows local users to cause resource exhaustion (CPU,
> terminal flooding, log saturation) using only the trusted ls binary. No
> special privileges are required. This is a Living-Off-the-Land (LotL)
> attack vector that may evade traditional detection methods.
>
> Please let me know if you require additional details or if this is a known
> issue that has already been addressed.
>
> Thank you for your work on coreutils.
Your invocation is perfectly valid. All the options are supported by
'ls'. The letters after 'I' are treated as the ignore pattern. In other
words, your invocation is more clearly written as:
ls -lsZXx1vUutSsRrQqpoNnmLkI iHhGgFfDdCcBbAafDdCcBbAaq
Regarding high CPU usage and lots of terminal output, if someone has
access to run commands on your system they have more worthwhile ways to
mess with you. E.g. forking many processes [1].
Thanks for the report, though I assume it is an LLM hallucination.
Collin
[1] https://en.wikipedia.org/wiki/Fork_bomb
