Logic Error in uutils Coreutils Affects Command-Line Parsing
CVE-2026-35377

3.3LOW

Key Information:

Vendor

Uutils

Status
Coreutils
Vendor
CVE Published:
22 April 2026

What is CVE-2026-35377?

A logic error in the uutils coreutils' env utility disrupts the parsing of command-line arguments when using the -S (split-string) option. Specifically, it mishandles backslashes in single quotes, leading to unintended 'invalid sequence' errors when encountering valid escape sequences. This behavior diverges from the expected GNU env implementation, resulting in process termination and creating compatibility issues for automated scripts and administrative tasks. Consequently, users may experience local denial of service due to the interruption of standard operations reliant on correct string splitting.

References

https://github.com/uutils/coreutils/pull/11512
issue-trackingpatch

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zellic
.