{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35378", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.089Z", "datePublished": "2026-04-22T16:09:14.702Z", "dateUpdated": "2026-04-22T17:00:13.453Z"}, "containers": {"cna": {"title": "uutils coreutils expr Local Denial of Service via Eager Evaluation of Parenthesized Subexpressions", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "versions": [{"status": "affected", "lessThan": "0.8.0", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-768", "description": "CWE-768: Incorrect Short Circuit Evaluation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153: Input Data Manipulation"}]}], "descriptions": [{"lang": "en", "value": "A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within \"dead\" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow."}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11395", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:09:14.702Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T16:59:40.449798Z", "id": "CVE-2026-35378", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:00:13.453Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35378", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T16:59:40.449798Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T16:59:45.867Z"}}], "cna": {"title": "uutils coreutils expr Local Denial of Service via Eager Evaluation of Parenthesized Subexpressions", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153: Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "versions": [{"status": "affected", "version": "0", "lessThan": "0.8.0", "versionType": "semver"}], "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11395", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within \"dead\" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-768", "description": "CWE-768: Incorrect Short Circuit Evaluation"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:09:14.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35378", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:00:13.453Z", "dateReserved": "2026-04-02T12:58:56.089Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:09:14.702Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2365DBBD-6F10-4651-8DA4-08AE79E14423", "versionEndExcluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within \"dead\" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow."}], "id": "CVE-2026-35378", "lastModified": "2026-05-04T18:48:36.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:42.730", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/uutils/coreutils/pull/11395"}, {"source": "security@ubuntu.com", "tags": ["Release Notes"], "url": "https://github.com/uutils/coreutils/releases/tag/0.8.0"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-768"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "unix", "macos"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "coreutils", "source": "cna", "vendor": "Uutils"}, "product": "coreutils", "vendor": "uutils"}], "analysis": {"en": {"generated_at": "2026-04-28T15:20:10.339472+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest uutils coreutils release (for example, version 0.8.0 or later) where the parsing issue has been fixed.", "Audit existing shell scripts that use expr to ensure no guarded expressions can raise arithmetic errors and refactor them if necessary.", "As a temporary measure, avoid using parentheses in logical expressions that could lead to dead\u2011branch errors, or explicitly test subexpressions before inclusion in expr statements."], "summary": {"action": "Update", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is the expr command bundled with the Uutils coreutils distribution. No specific product version range is listed in the advisory, but the issue is present in any version released before the update that resolves the parsing flaw.", "description_and_impact": "The expr utility in the uutils coreutils package contains a logic error that causes parenthesized subexpressions to be evaluated during parsing instead of during execution. Because of this flaw, logical OR (|) and AND (&) operations cannot short\u2011circuit as expected. Arithmetic errors such as division by zero inside branches that should never be evaluated trigger a fatal error. When an expr expression is used inside a shell script, the script fails instead of returning the intended boolean value, breaking control flow and causing a denial of service to the script's user.", "risk_and_exploitability": "The CVSS score of 3.3 indicates a low severity impact, and the EPSS score is 0.00014, suggesting no publicly documented exploitation yet. The vulnerability is limited to scenarios where an attacker can influence the contents of expressions executed by expr, such as in user\u2011supplied scripts or commands. The likely attack vector is an attacker crafting expressions within shell scripts or commands that are executed by expr, as this vulnerability only manifests when expr evaluates user\u2011controlled input. Because the flaw triggers a fatal error rather than leaking information or allowing arbitrary code execution, the exploitability is low and the impact is confined to a local denial of service within affected scripts."}}}}, "created": "2026-04-22T18:15:15.479749+00:00", "updated": "2026-04-28T15:30:34.816311+00:00", "vendors": ["uutils", "uutils$PRODUCT$coreutils"]}