Description
The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update
AI Analysis

Impact

The uutils coreutils sort utility crashes when the --files0-from option is used with filenames that are valid but not encoded in UTF-8. The implementation forces UTF‑8 parsing and uses expect(), which triggers a process panic on encountering such filenames. This divergence from GNU sort, which treats filenames as raw bytes, results in a local denial‑of‑service situation where an attacker can cause the sort program to terminate unexpectedly, disrupting automated pipelines that rely on it.

Affected Systems

The affected product is uutils coreutils, specifically the sort command. No specific version information is provided, so any release that supports the --files0-from option may be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity vulnerability. EPSS data is not available, and the issue is not listed in CISA KEV. The vulnerability is exploitable by a local attacker who has the ability to place files with non‑UTF‑8 names in a directory processed by sort. By triggering the crash, the attacker can disrupt services or CI/CD pipelines that depend on the sort utility.

Generated by OpenCVE AI on April 27, 2026 at 08:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uutils coreutils to a version that includes the fix for this issue.
  • Avoid using the --files0-from option with directories that might contain filenames containing non‑UTF‑8 characters.
  • Limit local file system permissions so that only trusted users can introduce such filenames into directories processed by sort.

Generated by OpenCVE AI on April 27, 2026 at 08:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f2jv-wjjc-2c94 uutils coreutils has an Uncaught Exception When Encountering Valid but Non-UTF-8 Paths
History

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
CPEs cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.
Title uutils coreutils sort Local Denial of Service via Forced UTF-8 Parsing
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T18:21:11.748Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35348

cve-icon Vulnrichment

Updated: 2026-04-22T18:18:16.368Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:37.040

Modified: 2026-04-24T18:57:20.927

Link: CVE-2026-35348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:54:37Z

Weaknesses