2460802 – (CVE-2026-35379) CVE-2026-35379 rust-coreutils: uutils coreutils tr utility: Data modification due to incorrect character class definitions

Bug 2460802 (CVE-2026-35379) - CVE-2026-35379 rust-coreutils: uutils coreutils tr utility: Data modification due to incorrect character class definitions

Summary: CVE-2026-35379 rust-coreutils: uutils coreutils tr utility: Data modification...

Keywords:
Status:	NEW
Alias:	CVE-2026-35379
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2463759 2463760
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 17:03 UTC by OSIDB Bzimport
Modified:	2026-04-29 09:58 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 17:03:32 UTC

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.

Note You need to log in before you can comment on or make changes to this bug.