#1136207 rust-coreutils: CVE-2026-35377

Package:
src:rust-coreutils
Source:
src:rust-coreutils
Submitter:
Moritz Mühlenhoff
Date:
2026-06-08 17:37:15 UTC
Severity:
normal
Tags:
#1136207#5
Date:
2026-05-10 18:13:16 UTC
From:
To:
Hi,

The following vulnerability was published for rust-coreutils.

CVE-2026-35377[0]:
| A logic error in the env utility of uutils coreutils causes a
| failure to correctly parse command-line arguments when utilizing the
| -S (split-string) option. In GNU env, backslashes within single
| quotes are treated literally (with the exceptions of \\ and \').
| However, the uutils implementation incorrectly attempts to validate
| these sequences, resulting in an "invalid sequence" error and an
| immediate process termination with an exit status of 125 when
| encountering valid but unrecognized sequences like \a or \x. This
| divergence from GNU behavior breaks compatibility for automated
| scripts and administrative workflows that rely on standard split-
| string semantics, leading to a local denial of service for those
| operations.

https://github.com/uutils/coreutils/pull/11512


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-35377
https://www.cve.org/CVERecord?id=CVE-2026-35377

Please adjust the affected versions in the BTS as needed.