uutils coreutils ln Local Denial of Service via Improper Handling of Non-UTF-8 Filenames

CVE	CVE-2026-35373
State	PUBLISHED
Assigner	canonical
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-22 17:16:41 UTC
Updated	2026-04-22 21:23:52 UTC
Description	A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.

Primary CVSS: v3.1 3.3 LOW from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem Types: CWE-176 | CWE-176 CWE-176: Improper Handling of Unicode Encoding

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Secondary	3.3	LOW	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L`
3.1	CNA	CVSS	3.3	LOW	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Source	Vendor	Product	Version	Platforms
CNA	Uutils	Coreutils	Not specified	Linux, Unix, macOS

Reference	Source	Link	Tags
github.com/uutils/coreutils/pull/11403	[email protected]	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Zellic (en)

There are currently no legacy QID mappings associated with this CVE.