CVE-2026-35348

· NIST NVD ↗

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

MEDIUM
CVSS severity
5.5
CVSS base score
2026-04-22
Published

CWE codes

CWE-248

Affected products

uutils:coreutils

Sources