CVE-2026-35378
Logic Error in uutils coreutils expr Causes Script Failures
Publication date: 2026-04-22
Last updated on: 2026-05-04
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-768 | The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in the expr utility of uutils coreutils. The program incorrectly evaluates parenthesized subexpressions during the parsing phase instead of the execution phase. Because of this flaw, the utility fails to properly short-circuit logical OR (|) and AND (&) operations.
As a result, arithmetic errors such as division by zero that occur in branches that should be ignored (dead branches) are raised as fatal errors. This behavior differs from GNU expr, where such guarded expressions would not cause errors but return expected boolean results.
This can cause shell scripts relying on GNU-compatible behavior to terminate prematurely and break expected control flow.
How can this vulnerability impact me? :
The vulnerability can cause shell scripts that use the expr utility from uutils coreutils to fail unexpectedly. Specifically, scripts that rely on short-circuiting logical operations to avoid errors may instead encounter fatal arithmetic errors like division by zero.
This premature termination of scripts can disrupt automated processes, cause unexpected behavior in system operations, and potentially lead to downtime or failures in environments that depend on these scripts for control flow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running test commands that use the expr utility with parenthesized subexpressions containing arithmetic errors in branches that should be short-circuited.
For example, executing the command `expr 1 ' | ' ' ( ' 1 / 0 ' ) '` on a vulnerable system will cause a division by zero error to be raised prematurely, resulting in an error message and a non-zero exit status.
On a vulnerable system, this command exits with status 2 and outputs an error like "expr: division by zero". On a fixed or GNU coreutils system, it exits with status 0, outputs "1", and produces no error.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the uutils coreutils package to a version that includes the fix merged in Pull Request #11395.
This fix modifies the expr utility to avoid eager evaluation of parenthesized dead branches, restoring proper short-circuit evaluation and preventing premature arithmetic errors.
Until the update is applied, avoid using expr expressions that rely on short-circuiting with parenthesized subexpressions containing potentially error-causing arithmetic operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.