Low severity3.3NVD Advisory· Published Apr 22, 2026· Updated Apr 29, 2026

CVE-2026-35379

Description

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
coreutilscrates.io	< 0.8.0	0.8.0

Affected products

Uutils/Coreutils
cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*
Range: <0.8.0

Patches

358063f3367c

tr: fix graph/print character class mapping (#11405)

https://github.com/uutils/coreutilsCan BölükMar 26, 2026via ghsa

commit

2 files changed · +35 −3

src/uu/tr/src/operation.rs+3 −3 modified

@@ -185,8 +185,7 @@ impl Sequence {
                         .chain(33..=47)
                         .chain(58..=64)
                         .chain(91..=96)
-                        .chain(123..=126)
-                        .chain(std::iter::once(32)), // space
+                        .chain(123..=126),
                 ),
                 Class::Print => Box::new(
                     (48..=57) // digit
@@ -196,7 +195,8 @@ impl Sequence {
                         .chain(33..=47)
                         .chain(58..=64)
                         .chain(91..=96)
-                        .chain(123..=126),
+                        .chain(123..=126)
+                        .chain(std::iter::once(32)), // space
                 ),
                 Class::Punct => Box::new((33..=47).chain(58..=64).chain(91..=96).chain(123..=126)),
                 Class::Space => Box::new(unicode_table::SPACES.iter().copied()),

tests/by-util/test_tr.rs+32 −0 modified

@@ -65,6 +65,38 @@ fn test_delete() {
         .stdout_is("BD");
 }
 
+#[test]
+fn test_delete_graph_and_print_match_gnu() {
+    let input = [b' ', b'A', b'!', b'\t', b'\n'];
+    new_ucmd!()
+        .args(&["-d", "[:graph:]"])
+        .pipe_in(input)
+        .succeeds()
+        .stdout_is_bytes([b' ', b'\t', b'\n']);
+
+    new_ucmd!()
+        .args(&["-d", "[:print:]"])
+        .pipe_in(input)
+        .succeeds()
+        .stdout_is_bytes([b'\t', b'\n']);
+}
+
+#[test]
+fn test_delete_complement_graph_and_print_match_gnu() {
+    let input = [b' ', b'A', b'!', b'\t', b'\n'];
+    new_ucmd!()
+        .args(&["-d", "-c", "[:graph:]"])
+        .pipe_in(input)
+        .succeeds()
+        .stdout_is_bytes([b'A', b'!']);
+
+    new_ucmd!()
+        .args(&["-d", "-c", "[:print:]"])
+        .pipe_in(input)
+        .succeeds()
+        .stdout_is_bytes([b' ', b'A', b'!']);
+}
+
 #[test]
 fn test_delete_afterwards_is_not_flag() {
     new_ucmd!()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/uutils/coreutils/pull/11405nvdExploitIssue TrackingPatchWEB
github.com/advisories/GHSA-fhr3-xh3q-69w6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35379ghsaADVISORY
github.com/uutils/coreutils/commit/358063f3367cb23a1e5db314cfdbfeb607749b3dghsaWEB
github.com/uutils/coreutils/releases/tag/0.8.0nvdRelease NotesWEB

News mentions

Brush shell 0.4.0 tightens script safety, widens platform support
Help Net Security · May 4, 2026

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000