CVE-2026-35379

LOW EPSS 4.5%
Published Apr 22, 20262mo ago · Modified Jun 17, 20261w ago
3.3 CVSS 3.1
Low
Find Similar
Published Apr 22, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.

CVSS Details

Base Score
3.3
Exploitability
1.8
Impact
1.4
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
4.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-684

Affected Products 1

VendorProductVersionRange
uutilscoreutils* <0.8.0

References 2

  • github.com https://github.com/uutils/coreutils/pull/11405
    ExploitIssue TrackingPatch
  • github.com https://github.com/uutils/coreutils/releases/tag/0.8.0
    Release Notes

Remediation

  • github.com https://github.com/uutils/coreutils/pull/11405
    ExploitIssue TrackingPatch