Description
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.
Published: 2026-04-22
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity Violation
Action: Assess Impact
AI Analysis

Impact

The tr utility in uutils coreutils contains a logic error that misclassifies the POSIX [:graph:] and [:print:] character classes by incorrectly treating the ASCII space character as graphically printable and excluding it from printable. Because of this inversion, scripts that intend to preserve whitespace or remove only visible characters may inadvertently delete all space characters, corrupting data or causing downstream processing errors.

Affected Systems

The affected product is Uutils coreutils. No specific affected version is provided in the CVE payload, so all currently available releases may be susceptible until a patch is released.

Risk and Exploitability

Based on the description, it is inferred that exploitation requires local access to the tr command and there is no remote or privilege‑escalation vector. The CVSS score of 3.3 indicates low severity. The EPSS score is < 1% and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation likelihood under current conditions.

Generated by OpenCVE AI on April 28, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check with the Uutils coreutils maintainers or community for an official patch or update that addresses the character class handling issue.
  • Avoid using tr with the [:graph:] or [:print:] classes in scripts that depend on POSIX semantics until a verified fix is available.
  • Validate tr output in automated workflows to detect unexpected removal of whitespace and mitigate potential data corruption.

Generated by OpenCVE AI on April 28, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fhr3-xh3q-69w6 uutils coreutils has an Incorrect Provision of Specified Functionality Issue
History

Wed, 29 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.
Title uutils coreutils tr Local Logic Error and Data Integrity Issue in Character Class Handling
Weaknesses CWE-684
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T16:59:11.751Z

Reserved: 2026-04-02T12:58:56.089Z

Link: CVE-2026-35379

cve-icon Vulnrichment

Updated: 2026-04-22T16:59:07.039Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:42.887

Modified: 2026-04-29T15:59:08.450

Link: CVE-2026-35379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses