CVE-2026-35378 Overview
A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches—branches that should be ignored due to short-circuiting—are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.
Critical Impact
Shell scripts relying on GNU-compatible expr short-circuit evaluation may experience unexpected termination when arithmetic errors occur in branches that should never be evaluated, breaking control flow logic in production environments.
Affected Products
- uutils coreutils (versions prior to 0.8.0)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35378 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35378
Vulnerability Analysis
This vulnerability stems from a logic error in how the uutils coreutils implementation of expr handles expression evaluation. Unlike the GNU implementation, the affected versions evaluate parenthesized subexpressions during the parsing phase rather than deferring evaluation to the execution phase.
In standard expr behavior, logical operators | (OR) and & (AND) should implement short-circuit evaluation. For example, in the expression 1 | ( 1 / 0 ), the right-hand side should never be evaluated because the left operand 1 already satisfies the OR condition. However, due to this implementation flaw, the division by zero in the parenthesized expression is evaluated during parsing, causing a fatal error before execution logic can apply short-circuiting.
This behavior divergence can cause scripts that work correctly with GNU coreutils to fail unexpectedly when run with uutils coreutils. The impact is particularly problematic for defensive programming patterns that rely on short-circuit evaluation to guard against potentially erroneous operations.
Root Cause
The root cause is classified under CWE-768 (Incorrect Short Circuit Evaluation). The implementation incorrectly processes parenthesized subexpressions at parse time, before the logical operators have an opportunity to short-circuit and skip evaluation of unnecessary branches. This architectural decision violates the expected evaluation order where short-circuit logic should prevent evaluation of "dead" code paths.
Attack Vector
The vulnerability requires local access to exploit. An attacker or a poorly written script could trigger unexpected application behavior by crafting expressions that contain arithmetic errors in branches that would normally be short-circuited. While this does not directly lead to code execution or data compromise, it can cause denial of service through script failures, potentially disrupting automated processes, build systems, or system administration scripts that depend on expr for conditional logic.
The exploitation scenario typically involves shell scripts containing guarded expressions like:
# This should safely return 1 due to short-circuit evaluation
# but fails with division by zero error in affected versions
expr 1 '|' '(' 1 '/' 0 ')'
Detection Methods for CVE-2026-35378
Indicators of Compromise
- Unexpected script termination with "division by zero" or similar arithmetic errors
- Shell scripts that previously worked with GNU coreutils failing after switching to uutils coreutils
- Error messages from expr indicating evaluation of expressions that should have been short-circuited
Detection Strategies
- Audit shell scripts that use expr with logical operators (|, &) and parenthesized subexpressions containing potentially invalid arithmetic operations
- Test critical shell scripts against both GNU coreutils and uutils coreutils to identify behavioral differences
- Monitor system logs for unexpected expr utility failures in automated processes
Monitoring Recommendations
- Implement logging for shell script failures, particularly those involving the expr utility
- Review CI/CD pipelines and build systems that may use expr for conditional logic
- Track uutils coreutils version deployments across infrastructure to identify systems requiring updates
How to Mitigate CVE-2026-35378
Immediate Actions Required
- Upgrade uutils coreutils to version 0.8.0 or later, which contains the fix for this issue
- Review shell scripts that depend on expr short-circuit evaluation for potential failures
- Consider using alternative shell constructs (such as $(( )) arithmetic expansion or test/[ commands) that do not exhibit this issue
Patch Information
The fix for this vulnerability is available in uutils coreutils version 0.8.0. The patch addresses the expression evaluation order, ensuring parenthesized subexpressions are evaluated during the execution phase after short-circuit logic has been applied. For technical details on the fix, refer to the GitHub Pull Request #11395. The fixed version is available in the GitHub Release v0.8.0.
Workarounds
- Replace expr usage with shell-native arithmetic evaluation where possible (e.g., $(( ... )) in bash/zsh)
- Restructure scripts to avoid potentially erroneous operations in short-circuit branches
- Use explicit conditional statements (if/then/else) instead of relying on expr short-circuit behavior for critical logic
- Consider temporarily using GNU coreutils expr for scripts that require strict GNU compatibility
# Workaround: Use shell arithmetic instead of expr
# Instead of: result=$(expr 1 '|' '(' 1 '/' 0 ')')
# Use:
if [ 1 -ne 0 ]; then
result=1
else
result=$((1 / 0)) # This branch won't be reached
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
