Description
A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.
Published: 2026-04-22
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Local Denial of Service
Action: Apply Patch
AI Analysis

Impact

A logic error in the ln utility of uutils coreutils causes the program to reject source paths that contain non‑UTF‑8 filename bytes when the user specifies a target directory (e.g., ln SOURCE... DIRECTORY). This failure occurs because the implementation enforces UTF‑8 encoding and does not treat filenames as raw bytes like GNU ln does. The immediate consequence is that the utility cannot stat the file, returns a non‑zero exit code, and any scripts or system tasks that depend on creating links silently fail. The vulnerability is a local denial‑of‑service condition that affects only the environment in which the ln command is executed; it does not allow remote code execution or compromise data confidentiality or integrity.

Affected Systems

The impact is limited to installations of the uutils coreutils package, a Rust‑based reimplementation of GNU coreutils. Any Unix‑like system that uses the uutils ln utility for automated scripts, backups, or file‑management tasks is at risk, especially when those scripts process filenames containing non‑UTF‑8 bytes.

Risk and Exploitability

The CVSS score of 3.3 classifies this as low severity, and the EPSS score is not available, suggesting that exploitation is not widely targeted. Because the attack vector is local and requires the presence of the uutils ln utility, the risk remains limited to environments that depend on this utility. The vulnerability is not listed in CISA’s KEV catalog, and no publicly known exploits have been disclosed.

Generated by OpenCVE AI on April 27, 2026 at 08:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update uutils coreutils to a release that incorporates the fix for non‑UTF‑8 filenames; the pull request that implements the work‑around has already been merged and will be included in the next stable release.
  • If an update is not yet available, temporarily replace the uutils ln utility with GNU ln for the operations that handle non‑UTF‑8 filenames, ensuring that scripts use the system’s standard ln instead of the Rust implementation.
  • Add error handling to scripts that invoke uutils ln to detect non‑zero exit codes, log the filenames that caused failures, and gracefully continue or retry with a different utility.

Generated by OpenCVE AI on April 27, 2026 at 08:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh5h-p8c5-4w4x uutils coreutils has an Improper Handling of Unicode Encoding Issue
History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.
Title uutils coreutils ln Local Denial of Service via Improper Handling of Non-UTF-8 Filenames
Weaknesses CWE-176
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:20:29.756Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35373

cve-icon Vulnrichment

Updated: 2026-04-22T17:20:19.459Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:41.997

Modified: 2026-05-04T20:01:25.930

Link: CVE-2026-35373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:53:31Z

Weaknesses