Skip to main content

uutils coreutils CVE-2026-35377

| EUVDEUVD-2026-25030 LOW
Improper Input Validation (CWE-20)
2026-04-22 canonical GHSA-5v4g-vw9x-h534
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 06:59 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25030
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:09 nvd
LOW 3.3

DescriptionCVE.org

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.

AnalysisAI

The env utility in uutils coreutils incorrectly rejects valid backslash escape sequences in single-quoted strings when using the -S (split-string) option, terminating with exit status 125 and causing local denial of service for scripts relying on GNU env compatibility. The implementation performs overly strict validation that diverges from GNU behavior, where backslashes outside of \\ and \' are treated literally rather than invalid, breaking automated administrative workflows.

Technical ContextAI

The env utility is a POSIX-standard command-line tool used to execute programs with modified environment variables and to split command strings. The -S option enables split-string mode, where a single argument is parsed as multiple arguments separated by spaces and tabs. GNU env implements shell-like backslash escape handling within single quotes with specific rules: backslashes are literal except for \\, which becomes \, and \', which becomes '. The uutils implementation, which provides Rust-based replacements for GNU coreutils, incorrectly validates backslash sequences and rejects valid ones like \a or \x as errors. This is a CWE-20 (Improper Input Validation) issue where the validation logic is stricter than the specification requires, causing the parser to terminate prematurely rather than interpret sequences according to GNU semantics.

RemediationAI

Apply the patch from uutils coreutils GitHub PR #11512 or upgrade to the next release that includes the fix (specific version number not confirmed in provided references). The upstream fix corrects the backslash validation logic to match GNU env behavior, allowing literal backslashes in single-quoted strings except for \\ and \'. No workarounds are practical because the issue is in core argument parsing; the only temporary mitigation is to avoid the -S option entirely or rewrite scripts to eliminate backslash sequences within split strings, though this may break portability. Since exploitation requires local shell access and no remote vector exists, the remediation priority is medium - suitable for next routine patching window rather than emergency deployment, but should be prioritized for systems running uutils as a drop-in GNU coreutils replacement.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy