Skip to main content

uutils coreutils CVE-2026-35348

| EUVDEUVD-2026-24980 MEDIUM
Uncaught Exception (CWE-248)
2026-04-22 canonical GHSA-f2jv-wjjc-2c94
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24980
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:07 nvd
MEDIUM 5.5

DescriptionCVE.org

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

AnalysisAI

The sort utility in uutils coreutils crashes with a process panic when the --files0-from option processes inputs containing non-UTF-8 filenames, allowing local authenticated attackers to cause denial of service. Unlike GNU sort, which handles filenames as raw bytes, uutils enforces UTF-8 encoding via expect() calls that immediately panic on invalid sequences. A proof-of-concept exploit exists; SSVC analysis indicates partial technical impact with non-automatable exploitation.

Technical ContextAI

The sort utility implements file reading via the --files0-from option, which is designed to read a null-separated list of filenames from an input source. The underlying issue stems from Rust's string handling: uutils converts filesystem paths (which are valid byte sequences on Unix systems, not necessarily UTF-8) into Rust String types using expect() without graceful error handling. When a filename contains invalid UTF-8 sequences-common in legacy systems, international filenames with encoding variations, or corrupted data-the expect() call panics the entire process. This violates CWE-248 (Uncaught Exception), as the exception condition (non-UTF-8 input) is not properly caught or recovered. GNU sort's C implementation treats filenames as raw bytes and handles them transparently, making this a divergence in compatibility and robustness. The vulnerability affects all versions of uutils coreutils that use this pattern in the sort command's --files0-from implementation.

RemediationAI

Upgrade to a patched version of uutils coreutils when available from the upstream project (check https://github.com/uutils/coreutils for releases post-issue #9696). The fix will replace expect() calls with proper error handling (e.g., map_err() or unwrap_or_else()) that gracefully handles non-UTF-8 filenames, aligning behavior with GNU sort's byte-transparent approach. Until patching, avoid using sort --files0-from with untrusted or legacy input containing non-UTF-8 filenames; instead, use GNU coreutils sort (if available on the system) or pre-filter filenames to ensure UTF-8 encoding. A compensating control for automated pipelines is to wrap sort invocations in shell error traps (set -e) combined with iconv or recode to normalize input encodings beforehand, though this adds performance overhead and may alter filename semantics.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy