Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.
AnalysisAI
The sort utility in uutils coreutils crashes with a process panic when the --files0-from option processes inputs containing non-UTF-8 filenames, allowing local authenticated attackers to cause denial of service. Unlike GNU sort, which handles filenames as raw bytes, uutils enforces UTF-8 encoding via expect() calls that immediately panic on invalid sequences. A proof-of-concept exploit exists; SSVC analysis indicates partial technical impact with non-automatable exploitation.
Technical ContextAI
The sort utility implements file reading via the --files0-from option, which is designed to read a null-separated list of filenames from an input source. The underlying issue stems from Rust's string handling: uutils converts filesystem paths (which are valid byte sequences on Unix systems, not necessarily UTF-8) into Rust String types using expect() without graceful error handling. When a filename contains invalid UTF-8 sequences-common in legacy systems, international filenames with encoding variations, or corrupted data-the expect() call panics the entire process. This violates CWE-248 (Uncaught Exception), as the exception condition (non-UTF-8 input) is not properly caught or recovered. GNU sort's C implementation treats filenames as raw bytes and handles them transparently, making this a divergence in compatibility and robustness. The vulnerability affects all versions of uutils coreutils that use this pattern in the sort command's --files0-from implementation.
RemediationAI
Upgrade to a patched version of uutils coreutils when available from the upstream project (check https://github.com/uutils/coreutils for releases post-issue #9696). The fix will replace expect() calls with proper error handling (e.g., map_err() or unwrap_or_else()) that gracefully handles non-UTF-8 filenames, aligning behavior with GNU sort's byte-transparent approach. Until patching, avoid using sort --files0-from with untrusted or legacy input containing non-UTF-8 filenames; instead, use GNU coreutils sort (if available on the system) or pre-filter filenames to ensure UTF-8 encoding. A compensating control for automated pipelines is to wrap sort invocations in shell error traps (set -e) combined with iconv or recode to normalize input encodings beforehand, though this adds performance overhead and may alter filename semantics.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24980
GHSA-f2jv-wjjc-2c94