CVE-2026-35373: uutils coreutils ln Utility DoS Vulnerability

CVE-2026-35373 Overview

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.

Critical Impact

Automated scripts and system tasks relying on uutils coreutils may fail when processing valid non-UTF-8 filenames, causing operational disruptions in Unix environments.

Affected Products

• uutils coreutils (versions prior to the fix in PR #11403)

Discovery Timeline

• 2026-04-22 - CVE CVE-2026-35373 published to NVD
• 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35373

Vulnerability Analysis

This vulnerability represents a behavioral divergence between the uutils coreutils Rust implementation and the traditional GNU coreutils. The issue is classified under CWE-176 (Improper Handling of Unicode Encoding), where the uutils ln utility improperly enforces UTF-8 encoding requirements on filenames that may contain arbitrary byte sequences.

Unix filesystems traditionally allow filenames to contain any byte sequence except null bytes and forward slashes. This means valid filenames can include bytes that are not valid UTF-8 sequences. The GNU implementation of ln correctly handles these filenames as raw byte arrays, but the uutils Rust-based implementation attempts to process these filenames as UTF-8 strings, causing failures when encountering non-UTF-8 byte sequences.

When the ln utility encounters a source path with non-UTF-8 bytes in target-directory mode, it fails to properly stat the file and returns a non-zero exit code, effectively causing a denial of service for that specific operation.

Root Cause

The root cause is a logic error in how the uutils coreutils ln utility handles filename encoding. The Rust implementation enforces UTF-8 encoding on all filename strings, which conflicts with the POSIX standard that allows arbitrary byte sequences in filenames. This encoding enforcement occurs during the path processing phase, preventing the utility from correctly handling filenames that contain valid but non-UTF-8 byte sequences commonly found in Unix environments.

Attack Vector

This is a local attack vector requiring low privileges with no user interaction needed. An attacker or legitimate user working with non-UTF-8 filenames can trigger the denial of service condition. The impact is limited to availability, affecting only the specific ln operations that involve non-UTF-8 filenames. This is particularly impactful in automated environments where scripts process files with varied encoding in their names, such as files created by legacy systems, internationalized content, or binary data encoded in filenames.

The vulnerability manifests when using target-directory forms of the ln command (e.g., ln SOURCE... DIRECTORY). When the source path contains bytes that are not valid UTF-8, the utility fails to stat the file and exits with a non-zero return code, breaking automated workflows that depend on consistent behavior with GNU coreutils. For technical details, see the GitHub Pull Request #11403.

Detection Methods for CVE-2026-35373

Indicators of Compromise

• Non-zero exit codes from ln commands in automated scripts or cron jobs
• Error messages indicating failure to stat files with unusual or binary-like filenames
• Backup or synchronization scripts failing unexpectedly on specific files

Detection Strategies

• Monitor system logs for repeated ln utility failures with stat errors
• Audit automated scripts that use uutils coreutils ln for unexpected exit codes
• Test ln functionality against files with known non-UTF-8 byte sequences in their names

Monitoring Recommendations

• Implement monitoring for exit codes in critical scripts that depend on ln functionality
• Set up alerts for repeated failures in backup or file management automation
• Review cron job logs for patterns of ln command failures

How to Mitigate CVE-2026-35373

Immediate Actions Required

• Identify systems running uutils coreutils and assess dependency on ln with non-UTF-8 filenames
• Consider temporarily switching to GNU coreutils for affected operations until the patch is applied
• Test critical automated scripts against the fixed version before deployment

Patch Information

A fix has been developed and is available in Pull Request #11403 on the uutils coreutils GitHub repository. Users should update to the version containing this fix when it becomes available in a release.

Workarounds

• Use GNU coreutils ln instead of uutils coreutils for operations involving non-UTF-8 filenames
• Rename files to use UTF-8 compatible names before processing with uutils ln
• Implement wrapper scripts that detect non-UTF-8 filenames and handle them appropriately

To temporarily use GNU ln instead of uutils ln for affected operations, you can create an alias or modify your PATH to prioritize GNU coreutils. Consult the GitHub Pull Request for details on the permanent fix.