UBUNTU-CVE-2026-35378

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-35378

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35378.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-35378

Upstream

CVE-2026-35378

Published

2026-04-22T17:16:00Z

Modified

2026-05-14T14:41:54.932682Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow.

References

Affected packages

Ubuntu:24.04:LTS / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/ubuntu/rust-coreutils@0.0.24-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.20-1

0.0.22-1

0.0.23-1

0.0.23-2

0.0.23-3

0.0.24-1

0.0.24-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "rust-coreutils",
            "binary_version": "0.0.24-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35378.json"

Ubuntu:25.10 / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/ubuntu/rust-coreutils@0.2.2-0ubuntu2.1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.30-1

0.0.30-2

0.0.30-2ubuntu2

0.1.0-0ubuntu1

0.1.0+git20250711.2ba3a33-0ubuntu1

0.1.0+git20250711.2ba3a33-0ubuntu2

0.1.0+git20250711.2ba3a33-0ubuntu3

0.1.0+git20250711.2ba3a33-0ubuntu4

0.1.0+git20250801.cf79675-0ubuntu1

0.1.0+git20250813.4af2a84-0ubuntu2

0.1.0+git20250813.4af2a84-0ubuntu4

0.1.0+git20250813.4af2a84-0ubuntu6

0.1.0+git20250813.4af2a84-0ubuntu7

0.2.2-0ubuntu1

0.2.2-0ubuntu2

0.2.2-0ubuntu2.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "rust-coreutils",
            "binary_version": "0.2.2-0ubuntu2.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35378.json"