Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.
AnalysisAI
uutils coreutils tr utility misdefines POSIX character classes [:graph:] and [:print:], incorrectly including ASCII space (0x20) in [:graph:] and excluding it from [:print:] - the opposite of standard behavior. This logic error causes unintended data modification or loss when tr is used in automated scripts or data pipelines that depend on correct character class semantics, such as deletion of graphical characters inadvertently removing all spaces and corrupting structured data. Affects coreutils versions prior to 0.8.0; patch is available from vendor.
Technical ContextAI
The tr utility in uutils coreutils implements character class support following the POSIX standard, which defines [:graph:] as printable characters excluding space and [:print:] as all printable characters including space. The CWE-684 (Incorrect Data Validation) root cause stems from a logic error in the character class definition engine that inverts the membership of the space character, violating the established POSIX and GNU coreutils semantics. When users invoke tr with bracket expressions like '[[:graph:]]' or '[[:print:]]' in substitution or deletion operations, the tool applies the reversed classification, leading to unexpected behavior in text processing pipelines. The CPE cpe:2.3:a:uutils:coreutils identifies the affected product family across all versions before 0.8.0.
RemediationAI
Vendor-released patch: upgrade uutils coreutils to version 0.8.0 or later, which corrects the character class definitions for [:graph:] and [:print:] to conform to POSIX semantics. Users unable to immediately patch should audit any automated scripts or data pipelines that use the tr utility with character classes, particularly those relying on space-character handling or [:graph:]/[:print:] operations; migrate to GNU coreutils' tr implementation if available in your distribution as a workaround, as GNU coreutils correctly implements POSIX semantics. Test any migrated or patched tr invocations against sample data before deploying to production. The patch carries no known breaking changes or performance impact, making immediate upgrade recommended.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25034
GHSA-fhr3-xh3q-69w6