CVE-2026-35378: CWE-768: Incorrect Short Circuit Evaluation in Uutils coreutils
A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.
AI Analysis
Technical Summary
The vulnerability in uutils coreutils expr utility arises from incorrect short-circuit evaluation due to evaluating parenthesized subexpressions during parsing rather than execution. This flaw prevents proper short-circuiting of logical OR (|) and AND (&) operations, causing arithmetic errors in logically dead branches to trigger fatal errors. This breaks compatibility with GNU expr behavior and can cause guarded shell script expressions to fail unexpectedly, resulting in premature script termination and disrupted control flow.
Potential Impact
The impact is limited to causing premature termination of shell scripts that use guarded expressions with logical OR and AND in the expr utility of uutils coreutils. This can break GNU-compatible shell control flow by raising fatal errors on arithmetic operations in branches that should be short-circuited. There is no direct confidentiality, integrity, or broad availability impact beyond script failures. The CVSS score is low (3.3), reflecting limited impact and local attack vector with low privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is currently documented. Users relying on uutils coreutils expr utility should monitor vendor communications for patches or updates addressing this logic error. Until then, consider avoiding use of guarded expressions that depend on short-circuit evaluation in this utility or use alternative implementations such as GNU expr.
CVE-2026-35378: CWE-768: Incorrect Short Circuit Evaluation in Uutils coreutils
Description
A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in uutils coreutils expr utility arises from incorrect short-circuit evaluation due to evaluating parenthesized subexpressions during parsing rather than execution. This flaw prevents proper short-circuiting of logical OR (|) and AND (&) operations, causing arithmetic errors in logically dead branches to trigger fatal errors. This breaks compatibility with GNU expr behavior and can cause guarded shell script expressions to fail unexpectedly, resulting in premature script termination and disrupted control flow.
Potential Impact
The impact is limited to causing premature termination of shell scripts that use guarded expressions with logical OR and AND in the expr utility of uutils coreutils. This can break GNU-compatible shell control flow by raising fatal errors on arithmetic operations in branches that should be short-circuited. There is no direct confidentiality, integrity, or broad availability impact beyond script failures. The CVSS score is low (3.3), reflecting limited impact and local attack vector with low privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is currently documented. Users relying on uutils coreutils expr utility should monitor vendor communications for patches or updates addressing this logic error. Until then, consider avoiding use of guarded expressions that depend on short-circuit evaluation in this utility or use alternative implementations such as GNU expr.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.089Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d719fe3cd2cdd02529
Added to database: 4/22/2026, 4:31:19 PM
Last enriched: 4/22/2026, 4:47:04 PM
Last updated: 4/22/2026, 5:34:58 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.