CVE-2026-35375

LOW

uutils coreutils split Local Data Integrity Issue via Lossy Filename Encoding

Title source: cna
STIX 2.1

Description

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data.

References (2)

Core 2
Core References

Scores

CVSS v3 3.3
EPSS 0.0014
EPSS Percentile 4.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-176
Status published
Products (3)
crates.io/coreutils 0 - 0.8.0crates.io
Uutils/coreutils < 0.8.0
uutils/coreutils < 0.8.0
Published Apr 22, 2026
Tracked Since Apr 22, 2026