CVE-2026-35343 Overview
The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.
Critical Impact
Non-delimited lines are incorrectly included in output when using the -s flag with newline delimiter, potentially causing data integrity issues in downstream processing pipelines.
Affected Products
- uutils coreutils versions prior to 0.7.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35343 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35343
Vulnerability Analysis
This vulnerability falls under the category of Input Validation Error (CWE-670: Always-Incorrect Control Flow Implementation). The cut utility in uutils coreutils contains a logic flaw where the only_delimited flag is not properly checked within the cut_fields_newline_char_delim function. When users specify the -s option, the utility should suppress lines that do not contain the specified delimiter. However, when a newline character is used as the delimiter, this suppression logic is bypassed due to the missing flag verification.
The local attack vector requires the attacker to have access to the system where uutils coreutils is installed. The integrity impact occurs because scripts and pipelines expecting filtered output may receive unexpected data, potentially leading to incorrect processing results or data leakage in automated workflows.
Root Cause
The root cause is an incomplete implementation in the cut_fields_newline_char_delim function. While other delimiter-handling code paths properly check the only_delimited flag before outputting lines, this specific code path for newline character delimiters omits the necessary conditional check. This represents an Always-Incorrect Control Flow Implementation where the control flow does not correctly account for all valid input combinations.
Attack Vector
The attack vector requires local access to a system running uutils coreutils. An attacker or unexpected input could exploit this flaw in scenarios where:
- A shell script uses cut -s -d'\n' to process sensitive data expecting strict filtering
- The utility outputs lines that should be suppressed based on the -s flag
- Downstream processes receive and handle data that was meant to be filtered out
This could be particularly impactful in data processing pipelines, log parsing operations, or any automation that relies on the -s flag for output sanitization when using newline as a delimiter.
The vulnerability manifests in the cut_fields_newline_char_delim function where the only_delimited flag check is missing. See the GitHub Pull Request for technical implementation details and the fix.
Detection Methods for CVE-2026-35343
Indicators of Compromise
- Unexpected output from cut commands using -s with newline delimiter
- Downstream script failures or data inconsistencies when processing cut output
- Pipeline results containing more lines than expected when filtering with -s -d'\n'
Detection Strategies
- Audit shell scripts and automation that use uutils cut with the -s flag and newline delimiter
- Compare uutils cut output against GNU coreutils cut for equivalent commands to identify discrepancies
- Implement input validation in downstream scripts to verify expected output format
Monitoring Recommendations
- Monitor for unexpected data processing errors in pipelines using uutils coreutils
- Review logs from data processing jobs that rely on cut utility filtering
- Track version deployments of uutils coreutils across systems to ensure patched versions are installed
How to Mitigate CVE-2026-35343
Immediate Actions Required
- Upgrade uutils coreutils to version 0.7.0 or later
- Review and audit scripts that use cut -s with newline as delimiter
- Consider using GNU coreutils cut as a temporary alternative if immediate upgrade is not possible
- Add validation checks in downstream scripts to verify expected output format
Patch Information
The fix has been implemented in uutils coreutils version 0.7.0. The patch adds the proper only_delimited flag check to the cut_fields_newline_char_delim function, ensuring consistent behavior across all delimiter types.
For detailed patch information, refer to the GitHub Pull Request #11143 and the GitHub Release 0.7.0.
Workarounds
- Add post-processing validation to filter output if upgrade is not immediately possible
- Use GNU coreutils cut instead of uutils cut for critical operations requiring the -s flag with newline delimiter
- Implement wrapper scripts that validate cut output before passing to downstream processes
# Upgrade uutils coreutils to patched version
cargo install coreutils --version ">=0.7.0"
# Verify installed version
cut --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
