CVE-2026-35373
Received Received - Intake
Logic Error in uutils ln Causes Local Denial of Service

Publication date: 2026-04-22

Last updated on: 2026-05-04

Assigner: Canonical Ltd.

Description
A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35373
EUVD
EUVD-2026-25022
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-176 The product does not properly handle when an input contains Unicode encoding.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability causes the ln utility in uutils coreutils to fail when handling source paths with non-UTF-8 filenames, resulting in a local denial of service for operations involving such files.

However, there is no information provided in the context or resources about any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a logic error in the ln utility of uutils coreutils. The program rejects source paths that contain non-UTF-8 filename bytes when using target-directory forms (for example, ln SOURCE... DIRECTORY). Unlike GNU ln, which treats filenames as raw bytes and creates links correctly, the uutils implementation enforces UTF-8 encoding. This enforcement causes the utility to fail to access the file and return a non-zero exit code.

As a result, in environments where automated scripts or system tasks handle valid but non-UTF-8 filenames common on Unix filesystems, the utility fails, causing a local denial of service for those operations.

Impact Analysis

This vulnerability can cause local denial of service by making the ln utility fail when processing valid filenames that contain non-UTF-8 bytes. Automated scripts or system tasks that rely on ln to create links for such files will fail, potentially disrupting workflows or system operations that depend on these links.

Detection Guidance

This vulnerability can be detected by attempting to create symbolic or hard links using the uutils ln utility on files with non-UTF-8 encoded filenames. If the ln command fails with an error indicating it cannot stat the source file and returns a non-zero exit code, it indicates the presence of the vulnerability.

A practical detection method is to create a test file with a non-UTF-8 byte in its name and then try to link it using uutils ln in target-directory mode.

  • Create a file with a non-UTF-8 byte in the filename, for example using a byte value 0xFF.
  • Run the command: ln <non-UTF-8-filename> <target-directory>
  • If the command fails with a "cannot stat" error and does not create the link, the vulnerability is present.
Mitigation Strategies

To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix for CVE-2026-35373. The fix aligns the behavior of uutils ln with GNU ln by allowing non-UTF-8 source filenames in target-directory modes.

Until the update is applied, avoid using uutils ln to create links for files with non-UTF-8 encoded filenames, or use GNU ln as an alternative where possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35373. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart