Logic Error in uutils Coreutils Affects Script Execution
CVE-2026-35378

3.3LOW

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35378?

A logic error in the expr utility of uutils coreutils enables improper evaluation of parenthesized subexpressions during parsing, rather than execution. This flaw disrupts short-circuiting behavior for logical operations, resulting in fatal errors for arithmetic issues, like division by zero, in branches that should be bypassed. Consequently, shell script execution may terminate prematurely without delivering the expected boolean results, diverging from the expected GNU expr behavior and deteriorating the shell control flow.

Affected Version(s)

coreutils Linux 0 < 0.8.0

References

https://github.com/uutils/coreutils/pull/11395

issue-trackingpatch

https://github.com/uutils/coreutils/releases/tag/0.8.0

vendor-advisory

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35378 Data

JSON

Uutils

What is CVE-2026-35378?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit