CVE-2026-35375

LOW 3.3

uutils coreutils split Local Data Integrity Issue via Lossy Filename Encoding

CVSS Score

3.3

EPSS Score

0.0%

EPSS Percentile

0th

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data.

CWE	CWE-176
Vendor	uutils
Product	coreutils
Published	Apr 22, 2026
Last Updated	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for uutils coreutils

Be the first to know when new low vulnerabilities affecting uutils coreutils are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

Uutils / coreutils

0 < 0.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/uutils/coreutils/pull/11397 github.com: https://github.com/uutils/coreutils/releases/tag/0.8.0

Credits

Zellic