CVE-2026-35379
Logic Error in uutils coreutils tr Causes Data Corruption
Publication date: 2026-04-22
Last updated on: 2026-04-29
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-684 | The code does not function according to its published specifications, potentially leading to incorrect usage. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in the tr utility of uutils coreutils where the program incorrectly defines the [:graph:] and [:print:] character classes.
Specifically, the implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, reversing the standard behavior established by POSIX and GNU coreutils.
As a result, when the utility is used in automated scripts or data-cleaning pipelines that rely on the standard character class semantics, it can cause unintended data modification or loss.
For example, a command intended to delete all graphical characters while preserving whitespace will incorrectly delete all ASCII spaces, potentially causing data corruption or logic failures in downstream processing.
How can this vulnerability impact me? :
This vulnerability can lead to unintended data modification or loss when using the tr utility in automated scripts or data-cleaning pipelines.
Specifically, commands that rely on the correct definition of character classes may delete ASCII space characters unintentionally.
This can result in data corruption or logic failures in downstream processing, potentially affecting the integrity of your data and the correctness of your automated workflows.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the tr utility of uutils coreutils causes incorrect handling of character classes, leading to unintended data modification or loss in automated scripts or data-cleaning pipelines.
While this can result in data corruption or logic failures in downstream processing, there is no direct information provided about its impact on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the behavior of the `tr` utility in the uutils/coreutils package with respect to the character classes [:graph:] and [:print:]. Specifically, you can check if the ASCII space character (0x20) is incorrectly included in [:graph:] and excluded from [:print:].
A reproducible test command is:
- printf ' a b\n ' | tr -d ' [:graph:] ' | od -An -t x1
If the output is `0a` (newline only), it indicates the vulnerability is present because space was incorrectly excluded from [:print:]. The expected correct output according to POSIX/GNU behavior is `20 0a` (space and newline).
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the uutils/coreutils package to a version that includes the fix correcting the character class mappings in the `tr` utility.
The fix was merged into the main branch on March 26, 2026, restoring correct behavior consistent with POSIX/GNU standards.
Until the update is applied, avoid using the `tr` utility from uutils/coreutils in automated scripts or data-cleaning pipelines that rely on standard [:graph:] and [:print:] character class semantics, as this may cause unintended data modification or loss.