Logic Error in ln Utility Affects uutils Coreutils
CVE-2026-35373

3.3LOW

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35373?

The ln utility within uutils coreutils contains a logic error that prevents it from processing source paths with non-UTF-8 filename bytes when specified in target-directory forms. Unlike GNU ln, which handles filenames as raw bytes, the uutils implementation strictly enforces UTF-8 encoding. This discrepancy results in the failure to accurately stat the file, returning a non-zero exit code. Consequently, automated scripts and system tasks that rely on valid, albeit non-UTF-8 filenames—common on Unix filesystems—can experience functional failures, leading to local denial of service in specific operations.

References

https://github.com/uutils/coreutils/pull/11403

patchissue-tracking

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35373 Data

JSON

Uutils

What is CVE-2026-35373?

References

CVSS V3.1

Timeline

Credit