CVE-2026-35373
Logic Error in uutils ln Causes Local Denial of Service
Publication date: 2026-04-22
Last updated on: 2026-05-04
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-176 | The product does not properly handle when an input contains Unicode encoding. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in the ln utility of uutils coreutils. The program rejects source paths that contain non-UTF-8 filename bytes when using target-directory forms (for example, ln SOURCE... DIRECTORY). Unlike GNU ln, which treats filenames as raw bytes and creates links correctly, the uutils implementation enforces UTF-8 encoding. This enforcement causes the utility to fail to access the file and return a non-zero exit code.
As a result, in environments where automated scripts or system tasks handle valid but non-UTF-8 filenames common on Unix filesystems, the utility fails, causing a local denial of service for those operations.
How can this vulnerability impact me? :
This vulnerability can cause local denial of service by making the ln utility fail when processing valid filenames that contain non-UTF-8 bytes. Automated scripts or system tasks that rely on ln to create links for such files will fail, potentially disrupting workflows or system operations that depend on these links.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes the ln utility in uutils coreutils to fail when handling source paths with non-UTF-8 filenames, resulting in a local denial of service for operations involving such files.
However, there is no information provided in the context or resources about any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to create symbolic or hard links using the uutils ln utility on files with non-UTF-8 encoded filenames. If the ln command fails with an error indicating it cannot stat the source file and returns a non-zero exit code, it indicates the presence of the vulnerability.
A practical detection method is to create a test file with a non-UTF-8 byte in its name and then try to link it using uutils ln in target-directory mode.
- Create a file with a non-UTF-8 byte in the filename, for example using a byte value 0xFF.
- Run the command: ln <non-UTF-8-filename> <target-directory>
- If the command fails with a "cannot stat" error and does not create the link, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix for CVE-2026-35373. The fix aligns the behavior of uutils ln with GNU ln by allowing non-UTF-8 source filenames in target-directory modes.
Until the update is applied, avoid using uutils ln to create links for files with non-UTF-8 encoded filenames, or use GNU ln as an alternative where possible.