Skip to main content

uutils coreutils CVE-2026-35379

| EUVDEUVD-2026-25034 LOW
Incorrect Provision of Specified Functionality (CWE-684)
2026-04-22 canonical GHSA-fhr3-xh3q-69w6
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:01 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25034
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:09 nvd
LOW 3.3

DescriptionCVE.org

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.

AnalysisAI

uutils coreutils tr utility misdefines POSIX character classes [:graph:] and [:print:], incorrectly including ASCII space (0x20) in [:graph:] and excluding it from [:print:] - the opposite of standard behavior. This logic error causes unintended data modification or loss when tr is used in automated scripts or data pipelines that depend on correct character class semantics, such as deletion of graphical characters inadvertently removing all spaces and corrupting structured data. Affects coreutils versions prior to 0.8.0; patch is available from vendor.

Technical ContextAI

The tr utility in uutils coreutils implements character class support following the POSIX standard, which defines [:graph:] as printable characters excluding space and [:print:] as all printable characters including space. The CWE-684 (Incorrect Data Validation) root cause stems from a logic error in the character class definition engine that inverts the membership of the space character, violating the established POSIX and GNU coreutils semantics. When users invoke tr with bracket expressions like '[[:graph:]]' or '[[:print:]]' in substitution or deletion operations, the tool applies the reversed classification, leading to unexpected behavior in text processing pipelines. The CPE cpe:2.3:a:uutils:coreutils identifies the affected product family across all versions before 0.8.0.

RemediationAI

Vendor-released patch: upgrade uutils coreutils to version 0.8.0 or later, which corrects the character class definitions for [:graph:] and [:print:] to conform to POSIX semantics. Users unable to immediately patch should audit any automated scripts or data pipelines that use the tr utility with character classes, particularly those relying on space-character handling or [:graph:]/[:print:] operations; migrate to GNU coreutils' tr implementation if available in your distribution as a workaround, as GNU coreutils correctly implements POSIX semantics. Test any migrated or patched tr invocations against sample data before deploying to production. The patch carries no known breaking changes or performance impact, making immediate upgrade recommended.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy