CVE-2026-35375 - Vulnerability Details

- uutils coreutils split Local Data Integrity Issue via Lossy Filename Encoding

Description

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data.

Published: 2026-04-22

Score: 3.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A logic error in the split utility of uutils coreutils causes corruption of output filenames when non‑UTF‑8 prefixes or suffixes are supplied. The code uses to_string_lossy(), converting invalid byte sequences into the Unicode replacement character U+FFFD, which differs from GNU split that preserves raw bytes. This results in files being written with incorrect names, potentially leading to filename collisions, broken scripts, or misdirected output data.

Affected Systems

The uutils coreutils split command is affected. No explicit affected–version information is provided; however, the vulnerability was fixed in the 0.8.0 release as indicated by the advisory links.

Risk and Exploitability

The CVSS score is 3.3, indicating a low severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is local and that an attacker would need write access to the directory where split is executed. Exploitation would result only in data integrity problems rather than broader system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.8.0

No data.

Vendor Product Confidence Versions

Uutils

Coreutils

100%

Version	Status	Scheme	Platform
`[0,0.8.0)`	affected	generic	['linux', 'unix', 'macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade uutils coreutils to version 0.8.0 or later to apply the authoritative fix.
Until the update is applied, avoid using split with non‑UTF‑8 prefixes or suffixes; ensure that all inputs to split are valid UTF‑8 to prevent lossy filename encoding.
Implement validation of filename characters in scripts that call split to detect and correct invalid names before processing the output.

Generated by OpenCVE AI on April 27, 2026 at 08:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/11397
https://github.com/uutils/coreutils/releases/tag/0.8.0

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uutils Uutils coreutils
Vendors & Products		Uutils Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data.
Title		uutils coreutils split Local Data Integrity Issue via Lossy Filename Encoding
Weaknesses		CWE-176
References		https://github.com/uutils/coreutils/pull/11397 https://github.com/uutils/coreutils/releases/tag/0.8.0
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Uutils Coreutils

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:09:06.947Z

Updated: 2026-04-22T17:17:35.677Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35375

Vulnrichment

Updated: 2026-04-22T17:17:26.187Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:42.293

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35375

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T19:53:28Z

Weaknesses

CWE-176

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object