CVE-2026-35348 MEDIUM

CVE-2026-35348: uutils coreutils sort Local Denial of Service via Forced UTF-8 Parsing

Vendor Uutils
Product coreutils
Weakness CWE-248
Published April 22, 2026
Last update April 22, 2026

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated