2460792 – (CVE-2026-35375) CVE-2026-35375 rust-coreutils: split: local data integrity issue via lossy filename encoding

Bug 2460792 (CVE-2026-35375) - CVE-2026-35375 rust-coreutils: split: local data integrity issue via lossy filename encoding

Summary: CVE-2026-35375 rust-coreutils: split: local data integrity issue via lossy fi...

Keywords:
Status:	NEW
Alias:	CVE-2026-35375
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2461642 2461643
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 17:02 UTC by OSIDB Bzimport
Modified:	2026-04-24 19:13 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 17:02:58 UTC

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data.

Note You need to log in before you can comment on or make changes to this bug.