CVE-2026-35348

Summary

The sort utility in uutils coreutils is vulnerable to a process panic when using the –files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-248: CWE-248: Uncaught Exception

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References