CVE-2026-35379
Received Received - Intake
Logic Error in uutils coreutils tr Causes Data Corruption

Publication date: 2026-04-22

Last updated on: 2026-04-29

Assigner: Canonical Ltd.

Description
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35379
EUVD
EUVD-2026-25034
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils to 0.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-684 The code does not function according to its published specifications, potentially leading to incorrect usage.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a logic error in the tr utility of uutils coreutils where the program incorrectly defines the [:graph:] and [:print:] character classes.

Specifically, the implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, reversing the standard behavior established by POSIX and GNU coreutils.

As a result, when the utility is used in automated scripts or data-cleaning pipelines that rely on the standard character class semantics, it can cause unintended data modification or loss.

For example, a command intended to delete all graphical characters while preserving whitespace will incorrectly delete all ASCII spaces, potentially causing data corruption or logic failures in downstream processing.

Impact Analysis

This vulnerability can lead to unintended data modification or loss when using the tr utility in automated scripts or data-cleaning pipelines.

Specifically, commands that rely on the correct definition of character classes may delete ASCII space characters unintentionally.

This can result in data corruption or logic failures in downstream processing, potentially affecting the integrity of your data and the correctness of your automated workflows.

Compliance Impact

The vulnerability in the tr utility of uutils coreutils causes incorrect handling of character classes, leading to unintended data modification or loss in automated scripts or data-cleaning pipelines.

While this can result in data corruption or logic failures in downstream processing, there is no direct information provided about its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by testing the behavior of the `tr` utility in the uutils/coreutils package with respect to the character classes [:graph:] and [:print:]. Specifically, you can check if the ASCII space character (0x20) is incorrectly included in [:graph:] and excluded from [:print:].

A reproducible test command is:

  • printf ' a b\n ' | tr -d ' [:graph:] ' | od -An -t x1

If the output is `0a` (newline only), it indicates the vulnerability is present because space was incorrectly excluded from [:print:]. The expected correct output according to POSIX/GNU behavior is `20 0a` (space and newline).

Mitigation Strategies

To mitigate this vulnerability, you should update the uutils/coreutils package to a version that includes the fix correcting the character class mappings in the `tr` utility.

The fix was merged into the main branch on March 26, 2026, restoring correct behavior consistent with POSIX/GNU standards.

Until the update is applied, avoid using the `tr` utility from uutils/coreutils in automated scripts or data-cleaning pipelines that rely on standard [:graph:] and [:print:] character class semantics, as this may cause unintended data modification or loss.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart