Description
A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.
Published: 2026-04-22
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Update
AI Analysis

Impact

The expr utility in the uutils coreutils package contains a logic error that causes parenthesized subexpressions to be evaluated during parsing instead of during execution. Because of this flaw, logical OR (|) and AND (&) operations cannot short‑circuit as expected. Arithmetic errors such as division by zero inside branches that should never be evaluated trigger a fatal error. When an expr expression is used inside a shell script, the script fails instead of returning the intended boolean value, breaking control flow and causing a denial of service to the script's user.

Affected Systems

The affected product is the expr command bundled with the Uutils coreutils distribution. No specific product version range is listed in the advisory, but the issue is present in any version released before the update that resolves the parsing flaw.

Risk and Exploitability

The CVSS score of 3.3 indicates a low severity impact, and the EPSS score is unavailable, suggesting no publicly documented exploitation yet. The vulnerability is limited to scenarios where an attacker can influence the contents of expressions executed by expr, such as in user‑supplied scripts or commands. Because the flaw triggers a fatal error rather than leaking information or allowing arbitrary code execution, the exploitability is low and the impact is confined to a local denial of service within affected scripts.

Generated by OpenCVE AI on April 22, 2026 at 18:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest uutils coreutils release (for example, version 0.8.0 or later) where the parsing issue has been fixed.
  • Audit existing shell scripts that use expr to ensure no guarded expressions can raise arithmetic errors and refactor them if necessary.
  • As a temporary measure, avoid using parentheses in logical expressions that could lead to dead‑branch errors, or explicitly test subexpressions before inclusion in expr statements.

Generated by OpenCVE AI on April 22, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.
Title uutils coreutils expr Local Denial of Service via Eager Evaluation of Parenthesized Subexpressions
Weaknesses CWE-768
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:00:13.453Z

Reserved: 2026-04-02T12:58:56.089Z

Link: CVE-2026-35378

cve-icon Vulnrichment

Updated: 2026-04-22T16:59:45.867Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:42.730

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses