CVE-2026-35348 | THREATINT

Description

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-22 | Updated 2026-04-22 | Assigner canonical

MEDIUM: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-248: Uncaught Exception

Product status

Default status

affected

Credits

Zellic finder

References

github.com/uutils/coreutils/issues/9696 exploit

github.com/uutils/coreutils/issues/9696 issue-tracking

cve.org (CVE-2026-35348)

nvd.nist.gov (CVE-2026-35348)

Download JSON