Description
A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.
Published: 2026-04-22
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update
AI Analysis

Impact

The expr utility in the uutils coreutils package contains a logic error that causes parenthesized subexpressions to be evaluated during parsing instead of during execution. Because of this flaw, logical OR (|) and AND (&) operations cannot short‑circuit as expected. Arithmetic errors such as division by zero inside branches that should never be evaluated trigger a fatal error. When an expr expression is used inside a shell script, the script fails instead of returning the intended boolean value, breaking control flow and causing a denial of service to the script's user.

Affected Systems

The affected product is the expr command bundled with the Uutils coreutils distribution. No specific product version range is listed in the advisory, but the issue is present in any version released before the update that resolves the parsing flaw.

Risk and Exploitability

The CVSS score of 3.3 indicates a low severity impact, and the EPSS score is 0.00014, suggesting no publicly documented exploitation yet. The vulnerability is limited to scenarios where an attacker can influence the contents of expressions executed by expr, such as in user‑supplied scripts or commands. The likely attack vector is an attacker crafting expressions within shell scripts or commands that are executed by expr, as this vulnerability only manifests when expr evaluates user‑controlled input. Because the flaw triggers a fatal error rather than leaking information or allowing arbitrary code execution, the exploitability is low and the impact is confined to a local denial of service within affected scripts.

Generated by OpenCVE AI on April 28, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest uutils coreutils release (for example, version 0.8.0 or later) where the parsing issue has been fixed.
  • Audit existing shell scripts that use expr to ensure no guarded expressions can raise arithmetic errors and refactor them if necessary.
  • As a temporary measure, avoid using parentheses in logical expressions that could lead to dead‑branch errors, or explicitly test subexpressions before inclusion in expr statements.

Generated by OpenCVE AI on April 28, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5pv5-xh52-hvrp uutils coreutils has an Incorrect Short Circuit Evaluation Issue
History

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

Mon, 27 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.
Title uutils coreutils expr Local Denial of Service via Eager Evaluation of Parenthesized Subexpressions
Weaknesses CWE-768
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:00:13.453Z

Reserved: 2026-04-02T12:58:56.089Z

Link: CVE-2026-35378

cve-icon Vulnrichment

Updated: 2026-04-22T16:59:45.867Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:42.730

Modified: 2026-05-04T18:48:36.020

Link: CVE-2026-35378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses