CVE-2026-35379: CWE-684: Incorrect Provision of Specified Functionality in Uutils coreutils
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.
AI Analysis
Technical Summary
The vulnerability in uutils coreutils' tr utility arises from a logic error in defining the [:graph:] and [:print:] character classes. Specifically, the ASCII space character is incorrectly included in [:graph:] and excluded from [:print:], contrary to POSIX and GNU coreutils standards. This misclassification causes commands that depend on these classes to behave incorrectly, for example, deleting spaces when they should be preserved. The issue affects version 0 of the product and has a low CVSS score of 3.3. There is no vendor advisory or patch available at this time, and no known exploits in the wild.
Potential Impact
The incorrect character class definitions can cause unintended data modification or loss in automated scripts or data-cleaning pipelines that rely on standard [:graph:] and [:print:] semantics. Specifically, commands intended to delete graphical characters while preserving spaces may delete spaces instead, potentially leading to data corruption or logic errors downstream. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should be cautious when using the tr utility in uutils coreutils for operations involving [:graph:] and [:print:] character classes. Consider verifying outputs manually or using alternative tools that conform to POSIX standards for character classes.
CVE-2026-35379: CWE-684: Incorrect Provision of Specified Functionality in Uutils coreutils
Description
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in uutils coreutils' tr utility arises from a logic error in defining the [:graph:] and [:print:] character classes. Specifically, the ASCII space character is incorrectly included in [:graph:] and excluded from [:print:], contrary to POSIX and GNU coreutils standards. This misclassification causes commands that depend on these classes to behave incorrectly, for example, deleting spaces when they should be preserved. The issue affects version 0 of the product and has a low CVSS score of 3.3. There is no vendor advisory or patch available at this time, and no known exploits in the wild.
Potential Impact
The incorrect character class definitions can cause unintended data modification or loss in automated scripts or data-cleaning pipelines that rely on standard [:graph:] and [:print:] semantics. Specifically, commands intended to delete graphical characters while preserving spaces may delete spaces instead, potentially leading to data corruption or logic errors downstream. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should be cautious when using the tr utility in uutils coreutils for operations involving [:graph:] and [:print:] character classes. Consider verifying outputs manually or using alternative tools that conform to POSIX standards for character classes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.089Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d719fe3cd2cdd0252d
Added to database: 4/22/2026, 4:31:19 PM
Last enriched: 4/22/2026, 4:46:55 PM
Last updated: 4/22/2026, 5:34:57 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.