{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35379", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.089Z", "datePublished": "2026-04-22T16:09:17.114Z", "dateUpdated": "2026-04-22T16:59:11.751Z"}, "containers": {"cna": {"title": "uutils coreutils tr Local Logic Error and Data Integrity Issue in Character Class Handling", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "versions": [{"status": "affected", "lessThan": "0.8.0", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-684", "description": "CWE-684: Incorrect Provision of Specified Functionality", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153: Input Data Manipulation"}]}], "descriptions": [{"lang": "en", "value": "A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing."}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11405", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:09:17.114Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T16:58:58.741199Z", "id": "CVE-2026-35379", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T16:59:11.751Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35379", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T16:58:58.741199Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T16:59:07.039Z"}}], "cna": {"title": "uutils coreutils tr Local Logic Error and Data Integrity Issue in Character Class Handling", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153: Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "versions": [{"status": "affected", "version": "0", "lessThan": "0.8.0", "versionType": "semver"}], "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11405", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-684", "description": "CWE-684: Incorrect Provision of Specified Functionality"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:09:17.114Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35379", "state": "PUBLISHED", "dateUpdated": "2026-04-22T16:59:11.751Z", "dateReserved": "2026-04-02T12:58:56.089Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:09:17.114Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2365DBBD-6F10-4651-8DA4-08AE79E14423", "versionEndExcluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing."}], "id": "CVE-2026-35379", "lastModified": "2026-04-29T15:59:08.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:42.887", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/uutils/coreutils/pull/11405"}, {"source": "security@ubuntu.com", "tags": ["Release Notes"], "url": "https://github.com/uutils/coreutils/releases/tag/0.8.0"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-684"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "unix", "macos"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coreutils", "source": "cna", "vendor": "Uutils"}, "product": "coreutils", "vendor": "uutils"}], "analysis": {"en": {"generated_at": "2026-04-28T15:19:52.553654+00:00", "value": {"mitigation_remediation": ["Check with the Uutils coreutils maintainers or community for an official patch or update that addresses the character class handling issue.", "Avoid using tr with the [:graph:] or [:print:] classes in scripts that depend on POSIX semantics until a verified fix is available.", "Validate tr output in automated workflows to detect unexpected removal of whitespace and mitigate potential data corruption."], "summary": {"action": "Assess Impact", "impact": "Data Integrity Violation"}, "threat_synthesis": {"affected_systems": "The affected product is Uutils coreutils. No specific affected version is provided in the CVE payload, so all currently available releases may be susceptible until a patch is released.", "description_and_impact": "The tr utility in uutils coreutils contains a logic error that misclassifies the POSIX [:graph:] and [:print:] character classes by incorrectly treating the ASCII space character as graphically printable and excluding it from printable. Because of this inversion, scripts that intend to preserve whitespace or remove only visible characters may inadvertently delete all space characters, corrupting data or causing downstream processing errors.", "risk_and_exploitability": "Based on the description, it is inferred that exploitation requires local access to the tr command and there is no remote or privilege\u2011escalation vector. The CVSS score of 3.3 indicates low severity. The EPSS score is < 1% and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation likelihood under current conditions."}}}}, "created": "2026-04-27T19:53:25.461044+00:00", "updated": "2026-04-28T15:30:34.815801+00:00", "vendors": ["uutils", "uutils$PRODUCT$coreutils"]}