Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
5DescriptionCVE.org
A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.
AnalysisAI
Logic error in uutils coreutils expr utility evaluates parenthesized subexpressions during parsing rather than execution, breaking short-circuit evaluation for logical OR and AND operations. This causes arithmetic errors in dead code branches (e.g., division by zero) to trigger fatal errors instead of being safely ignored, breaking shell script control flow and diverging from GNU expr compatibility. Affects uutils coreutils versions prior to 0.8.0; publicly available exploit code exists per SSVC data.
Technical ContextAI
The expr utility is a fundamental shell utility that evaluates expressions, particularly for arithmetic and logical operations. In GNU expr, short-circuit evaluation is a critical feature: OR (|) operations skip the right operand if the left is true, and AND (&) operations skip the right operand if the left is false. This prevents evaluation of expressions that would cause errors. The vulnerability stems from CWE-768 (Incorrect Handling of Exceptional Conditions), specifically the premature evaluation of parenthesized subexpressions during the parsing phase. In uutils coreutils, these subexpressions are evaluated eagerly during parsing rather than lazily during execution, preventing the short-circuit logic from suppressing evaluation of dead branches. This breaks common shell script patterns like [[ $x -ne 0 && $(expr $y / $x) ]] where division by zero should be avoided when $x is zero.
RemediationAI
Upgrade uutils coreutils to version 0.8.0 or later, which includes the fix per the vendor release at https://github.com/uutils/coreutils/releases/tag/0.8.0. The upstream fix is documented in PR #11395 at https://github.com/uutils/coreutils/pull/11395. No workarounds are available that preserve functionality; the root cause is architectural (eager vs. lazy evaluation) and requires code-level changes. Organizations using uutils coreutils as a drop-in GNU coreutils replacement should test version 0.8.0 in non-production environments first to verify shell scripts behave identically, as the fix corrects behavior to match GNU expr semantics. If immediate upgrade is not feasible, rewrite affected shell expressions to avoid short-circuit dependencies (e.g., use separate if statements instead of compound conditions), though this degrades script clarity and performance.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25032
GHSA-5pv5-xh52-hvrp