Since coreutils 9.2 https://github.com/coreutils/coreutils/commit/40bf1591b introduced a heap overflow issue, which can be triggered like: { printf '%131070s\n' ''; printf 'x\n'; printf '%131071s\n' ''; } > in split -C 131072 ---io=131072 in That will dump core, but as with all heap overflows is a potential security issue. I'll leave it up to you to determine whether a CVE is required. There is already a patch upstream, but it's not flagged as a security issue, in an abundance of caution, in case this issue in more security sensitive than first envisaged. The upstream patch is: https://github.com/coreutils/coreutils/commit/c4c5ed8f4.patch
https://bugzilla.redhat.com/show_bug.cgi?id=2258913
Created coreutils tracking bugs for this issue: Affects: fedora-all [bug 2258913]