CVE-2026-35378

Description

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.

CVSS v3.1 Score

3.3

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS — Exploit Prediction

0.0002

Probability of exploitation

0.04%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-768 CWE-768

Affected Products

Vendor	Product	Versions
uutils	coreutils	< 0.8.0

References

Advisories & Patches

https://github.com/uutils/coreutils/pull/11395

Exploits

https://github.com/uutils/coreutils/pull/11395

Other References

https://github.com/uutils/coreutils/releases/tag/0.8.0

Frequently Asked Questions

What is CVE-2026-35378? +

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow. It has a CVSS v3.1 base score of 3.3 (LOW).

How severe is CVE-2026-35378? +

CVE-2026-35378 has a CVSS v3.1 score of 3.3 out of 10, rated LOW. This is a low-severity vulnerability with limited impact. The EPSS score is 0.0002, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-35378? +

CVE-2026-35378 affects products from uutils, specifically: coreutils. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-35378? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-35368 7.8

A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user …

CVE-2026-35338 7.3

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only …

CVE-2026-35341 7.1

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to …

CVE-2026-35352 7.0

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO …

CVE-2026-35349 6.7

A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a …

CVE-2026-35350 6.6

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying …