CVE-2026-35379 Overview
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics.
Critical Impact
Automated scripts and data-cleaning pipelines relying on standard POSIX character class semantics may experience data corruption when using the affected tr utility. Commands intended to preserve whitespace while deleting graphical characters will incorrectly delete ASCII spaces, causing downstream processing failures.
Affected Products
- uutils coreutils (versions prior to 0.8.0)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35379 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35379
Vulnerability Analysis
This vulnerability stems from a Business Logic Error (CWE-684) in the character class handling within the uutils coreutils tr utility. The POSIX standard clearly defines that the [:graph:] class should include all printable characters except space, while [:print:] should include all printable characters including space. The affected implementation reverses this behavior, creating a subtle but impactful deviation from expected behavior.
When developers or system administrators use tr commands in automated pipelines, they rely on these character classes behaving according to established standards. The incorrect implementation causes unexpected data transformation, which can silently corrupt data or cause logic failures in downstream processing systems. This is particularly problematic in data sanitization workflows, ETL pipelines, and automated text processing scripts that depend on consistent behavior across different coreutils implementations.
Root Cause
The root cause is a logic error in the character class definition within the tr utility's source code. The implementation incorrectly handles the ASCII space character (0x20) boundary condition when populating the [:graph:] and [:print:] character sets. This results in the space character being misclassified—included in [:graph:] where it should be excluded, and excluded from [:print:] where it should be included.
Attack Vector
This vulnerability requires local access to a system running the affected uutils coreutils version. An attacker or malicious script cannot directly exploit this for privilege escalation or code execution. However, the incorrect behavior can be leveraged to cause data corruption in systems that depend on the tr utility for data processing. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in corrupted configuration files, broken data exports, or logic failures in automated workflows.
The vulnerability is exploited passively through normal usage of the tr utility with the [:graph:] or [:print:] character classes. No malicious payload or special crafting is required—simply using the utility as documented will produce incorrect results.
Detection Methods for CVE-2026-35379
Indicators of Compromise
- Unexpected removal or modification of space characters in processed text files
- Data pipeline failures or corrupted outputs when using tr with [:graph:] or [:print:] classes
- Diff reports showing missing spaces in files processed through uutils tr utility
Detection Strategies
- Compare tr utility output against expected POSIX behavior using test strings containing space characters
- Run validation tests: echo "a b c" | tr -d '[:graph:]' should return spaces only, not an empty string
- Audit automated scripts and pipelines that use tr with character class arguments
- Check installed uutils coreutils version against affected versions
Monitoring Recommendations
- Implement output validation checks in data processing pipelines that use the tr utility
- Add integrity checks for critical data processed through text transformation utilities
- Monitor for unexpected data format changes in downstream systems
- Log and alert on data validation failures in ETL and data cleaning workflows
How to Mitigate CVE-2026-35379
Immediate Actions Required
- Upgrade uutils coreutils to version 0.8.0 or later
- Audit existing scripts and pipelines for usage of tr with [:graph:] or [:print:] character classes
- Replace affected tr commands with GNU coreutils tr as a temporary workaround
- Validate data integrity for any files processed with the affected utility
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.8.0. The fix corrects the character class definitions to align with POSIX and GNU coreutils standards. For detailed patch information, refer to the GitHub Pull Request #11405 and the release notes for version 0.8.0.
Workarounds
- Use GNU coreutils tr utility instead of uutils version for affected character class operations
- Implement explicit character ranges instead of named character classes (e.g., use !-~ instead of [:graph:])
- Add post-processing validation to verify space character preservation in transformed data
- Wrap tr commands in shell functions that verify correct behavior before processing production data
# Workaround: Use explicit character range instead of [:graph:]
# Original (affected): tr -d '[:graph:]'
# Workaround: Delete printable non-space characters explicitly
tr -d '!-~'
# Verification test to check if your tr implementation is affected
test_result=$(echo "a b c" | tr -d '[:graph:]')
if [ "$test_result" = " " ]; then
echo "tr utility behaves correctly"
else
echo "WARNING: tr utility has incorrect [:graph:] behavior"
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
