CVE-2026-35375

Name of the Vulnerable Software and Affected Versions uutils coreutils (affected versions not specified)

Description A logic error in the split utility occurs when non-UTF-8 prefix or suffix inputs are provided. The implementation uses the to string lossy() function to construct chunk filenames, which replaces invalid byte sequences with the UTF-8 replacement character (U+FFFD). This differs from GNU split, which preserves raw pathname bytes. In environments using non-UTF-8 encodings, this can result in corrupted filenames, leading to filename collisions, broken automation, or misdirected output data.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.