Skip to main content

uutils coreutils CVE-2026-35378

| EUVDEUVD-2026-25032 LOW
Incorrect Short Circuit Evaluation (CWE-768)
2026-04-22 canonical GHSA-5pv5-xh52-hvrp
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25032
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:09 nvd
LOW 3.3

DescriptionCVE.org

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.

AnalysisAI

Logic error in uutils coreutils expr utility evaluates parenthesized subexpressions during parsing rather than execution, breaking short-circuit evaluation for logical OR and AND operations. This causes arithmetic errors in dead code branches (e.g., division by zero) to trigger fatal errors instead of being safely ignored, breaking shell script control flow and diverging from GNU expr compatibility. Affects uutils coreutils versions prior to 0.8.0; publicly available exploit code exists per SSVC data.

Technical ContextAI

The expr utility is a fundamental shell utility that evaluates expressions, particularly for arithmetic and logical operations. In GNU expr, short-circuit evaluation is a critical feature: OR (|) operations skip the right operand if the left is true, and AND (&) operations skip the right operand if the left is false. This prevents evaluation of expressions that would cause errors. The vulnerability stems from CWE-768 (Incorrect Handling of Exceptional Conditions), specifically the premature evaluation of parenthesized subexpressions during the parsing phase. In uutils coreutils, these subexpressions are evaluated eagerly during parsing rather than lazily during execution, preventing the short-circuit logic from suppressing evaluation of dead branches. This breaks common shell script patterns like [[ $x -ne 0 && $(expr $y / $x) ]] where division by zero should be avoided when $x is zero.

RemediationAI

Upgrade uutils coreutils to version 0.8.0 or later, which includes the fix per the vendor release at https://github.com/uutils/coreutils/releases/tag/0.8.0. The upstream fix is documented in PR #11395 at https://github.com/uutils/coreutils/pull/11395. No workarounds are available that preserve functionality; the root cause is architectural (eager vs. lazy evaluation) and requires code-level changes. Organizations using uutils coreutils as a drop-in GNU coreutils replacement should test version 0.8.0 in non-production environments first to verify shell scripts behave identically, as the fix corrects behavior to match GNU expr semantics. If immediate upgrade is not feasible, rewrite affected shell expressions to avoid short-circuit dependencies (e.g., use separate if statements instead of compound conditions), though this degrades script clarity and performance.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy