Skip to main content

uutils coreutils CVE-2026-35375

| EUVDEUVD-2026-25026 LOW
Improper Handling of Unicode Encoding (CWE-176)
2026-04-22 canonical
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25026
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:09 nvd
LOW 3.3

DescriptionCVE.org

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data.

AnalysisAI

The split utility in uutils coreutils corrupts output filenames when processing non-UTF-8 prefix or suffix inputs by converting invalid byte sequences to UTF-8 replacement characters, causing filename mismatches, collisions, and potential data misdirection. Affected versions prior to 0.8.0 on all platforms exhibit this behavior, which deviates from GNU split's byte-preservation semantics. Local authenticated users can trigger the vulnerability through crafted non-UTF-8 input, leading to integrity issues in automated workflows relying on predictable filename generation.

Technical ContextAI

The vulnerability stems from a logic error in the split utility's filename construction logic, specifically the use of Rust's to_string_lossy() method when building chunk filenames from user-supplied prefix and suffix parameters. The to_string_lossy() function is designed for lossy UTF-8 conversion and automatically replaces invalid byte sequences with the Unicode replacement character (U+FFFD, rendered as a visible diamond with a question mark). In multi-byte encodings common in non-Western locales (e.g., ISO-2022-JP, EUC-KR, GB18030), or when processing binary data inadvertently used as filenames, this lossy conversion creates filenames that diverge from the input bytes. GNU split, by contrast, preserves raw pathname bytes directly to the filesystem, maintaining byte-for-byte fidelity regardless of encoding. CWE-176 (Improper Handling of Unicode Encoding) categorizes this as a character encoding handling defect where the application incorrectly transforms user input during encoding transitions.

RemediationAI

Vendor-released patch: uutils coreutils 0.8.0 or later. Users should upgrade immediately via their package manager or build from the upstream repository tag 0.8.0 onwards. The upstream fix (GitHub PR #11397, merged for 0.8.0 release) replaces lossy to_string_lossy() UTF-8 conversion with byte-preserving mechanisms that maintain raw pathname semantics consistent with GNU split. For systems unable to upgrade immediately, a workaround involves restricting the split utility to ASCII-only prefix and suffix inputs through input validation wrappers or shell functions that reject non-ASCII bytes, though this degrades functionality in non-UTF-8 environments and should be temporary. No significant side effects are expected from upgrading; the fix restores GNU-compatible behavior without breaking legitimate ASCII/UTF-8 use cases.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35375 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy