Skip to main content

uutils coreutils CVE-2026-35373

| EUVDEUVD-2026-25022 LOW
Improper Handling of Unicode Encoding (CWE-176)
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25022
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:09 nvd
LOW 3.3

DescriptionCVE.org

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.

AnalysisAI

The ln utility in uutils coreutils fails to process source paths containing non-UTF-8 filename bytes when using target-directory forms, rejecting valid filenames that GNU ln handles correctly. This logic error affects automated scripts and system tasks on Unix filesystems where non-UTF-8 filenames are common, causing denial of service for those specific operations. SSVC classifies exploitation as possible (POC available) but not automatable, with partial technical impact.

Technical ContextAI

The vulnerability stems from CWE-176 (Improper Handling of Unicode Encoding) in uutils coreutils, a pure-Rust reimplementation of GNU coreutils. The ln utility in forms like 'ln SOURCE... DIRECTORY' enforces UTF-8 encoding validation on source filenames, whereas GNU ln and POSIX standards treat filenames as opaque byte sequences. Unix filesystems (ext4, btrfs, NFS, etc.) store filenames as arbitrary byte strings without encoding constraints; valid files with non-UTF-8 byte sequences (e.g., Latin-1, mixed encodings, or legacy filenames from system migrations) are rejected by uutils ln during the stat() call, while GNU ln succeeds. The divergence occurs because Rust's standard library and string handling default to UTF-8, and uutils did not implement locale-aware or byte-preserving filename handling equivalent to C implementations.

RemediationAI

Upgrade uutils coreutils to the patched version released via PR #11403 (vendor confirms patch availability; consult release notes or GitHub tags for the specific patched version number). For systems unable to upgrade immediately, implement a compensating control by substituting the affected ln utility with GNU coreutils ln (install gnu-coreutils or equivalent package if available), which handles non-UTF-8 filenames correctly by design. Alternatively, audit automated scripts that invoke ln to verify they do not process filenames with non-UTF-8 bytes; if necessary, preprocess filenames to enforce UTF-8 encoding or use byte-safe alternatives (e.g., hard linking via inode numbers, or shell wrappers that escape non-UTF-8 sequences). Trade-off: GNU coreutils substitution adds a dependency but maintains POSIX compatibility; filtering non-UTF-8 filenames may silently drop valid files and mask the underlying issue. Vendors distributing uutils coreutils (including Canonical, per Reported by field) should prioritize updating packaged versions.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy