This page lists publicly disclosed CVE vulnerabilities affecting gnu coreutils (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-0684 | A flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service. | [email protected] | 5.5 | 0.09% | 2024-02-06 | 2025-11-04 |
| CVE-2015-4042 | Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings. | [email protected] | 9.8 | 0.39% | 2020-01-24 | 2024-11-21 |
| CVE-2015-4041 | The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings. | [email protected] | 7.8 | 0.07% | 2020-01-24 | 2024-11-21 |
| CVE-2017-18018 | In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. | [email protected] | 7.1 | 0.06% | 2018-01-04 | 2025-06-09 |
| CVE-2015-1865 | fts.c in coreutils 8.4 allows local users to delete arbitrary files. | [email protected] | 5.1 | 0.08% | 2017-09-20 | 2026-05-13 |
| CVE-2016-2781 | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. | [email protected] | 4.6 | 0.07% | 2017-02-07 | 2026-05-13 |
| CVE-2014-9471 | The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command. | [email protected] | 7.5 | 4.26% | 2015-01-16 | 2026-05-06 |
| CVE-2009-4135 | The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp. | [email protected] | 4.4 | 0.04% | 2009-12-11 | 2026-04-23 |
| CVE-2008-1946 | The default configuration of su in /etc/pam.d/su in GNU coreutils 5.2.1 allows local users to gain the privileges of a (1) locked or (2) expired account by entering the account name on the command line, related to improper use of the pam_succeed_if.so module. | [email protected] | 4.4 | 0.07% | 2008-07-28 | 2026-04-23 |
| CVE-2005-1039 | Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2) mknod, or (3) mkfifo is running with the -m switch, allows local users to modify permissions of other files. | [email protected] | 3.7 | 0.06% | 2005-05-02 | 2026-04-16 |