← Retour aux CVEs
CVE-2026-35375
LOW3.3
Description
A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data.
Details CVE
Score CVSS v3.13.3
SeveriteLOW
Vecteur CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vecteur d'attaqueLOCAL
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie4/22/2026
Derniere modification4/22/2026
Sourcenvd
Observations honeypot0
Faiblesses (CWE)
CWE-176
References
https://github.com/uutils/coreutils/pull/11397(security@ubuntu.com)
https://github.com/uutils/coreutils/releases/tag/0.8.0(security@ubuntu.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.