CVE-2026-35380 Overview
A logic error vulnerability has been identified in the cut utility of uutils coreutils. The flaw causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.
Critical Impact
Automated scripts and data processing pipelines relying on the cut utility may experience silent data corruption, potentially affecting downstream systems and data integrity without any visible error indicators.
Affected Products
- uutils coreutils (versions prior to 0.8.0)
- Systems using uutils coreutils as a replacement for GNU coreutils
- Automated scripts and data pipelines utilizing the cut utility with delimiter options
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35380 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35380
Vulnerability Analysis
This vulnerability falls under the category of Improper Input Validation (CWE-20). The root cause lies in how the cut utility processes delimiter arguments. When a user passes the literal two-byte string '' (two consecutive single quotes) as a delimiter via the -d or --output-delimiter options, the implementation incorrectly interprets this input as an empty delimiter and maps it to the NUL character (\0).
This behavior diverges from the expected functionality where the utility should either reject the invalid input or treat the two single quotes as literal characters. The consequence is that data fields are split or joined using NUL bytes instead of the intended delimiter, leading to corrupted output that may propagate through data processing workflows undetected.
Root Cause
The vulnerability stems from improper handling of edge cases in delimiter parsing logic within the cut utility. The code path responsible for processing the -d and --output-delimiter options fails to distinguish between a genuinely empty string and a string containing literal quote characters. This parsing ambiguity causes the implementation to default to using NUL as the delimiter when encountering the specific two-byte sequence of consecutive single quotes.
Attack Vector
This is a local vulnerability requiring the attacker to have access to execute commands on the target system. Exploitation occurs when:
- A script or pipeline uses the cut utility with user-controlled or malformed delimiter arguments
- The delimiter argument contains or evaluates to the literal '' (two single quotes)
- The cut utility silently processes the input using NUL as the delimiter instead of the expected character
The exploitation does not require special privileges beyond normal user access, though the impact is limited to data integrity issues rather than code execution. The vulnerability is particularly dangerous in automated environments where silent failures can propagate through multiple processing stages before detection.
The vulnerability mechanism involves incorrect input parsing in the delimiter handling code. When the cut utility receives '' as a delimiter argument, the parsing logic erroneously interprets this as an empty string and substitutes the NUL character. This behavior affects both the -d option for input field separation and the --output-delimiter option for output field joining. Technical details and the fix can be found in the GitHub Pull Request #11399.
Detection Methods for CVE-2026-35380
Indicators of Compromise
- Unexpected NUL bytes appearing in output files generated by scripts using the cut utility
- Data processing pipelines producing malformed or truncated output without explicit errors
- Log entries showing unusual field counts or parsing failures in downstream applications
- Scripts utilizing cut -d '' or cut --output-delimiter='' with literal single quote characters
Detection Strategies
- Audit shell scripts and data processing pipelines for usage of the cut utility with delimiter options containing single quotes
- Implement output validation to detect unexpected NUL characters in processed data
- Review version information of uutils coreutils installations and compare against the fixed version 0.8.0
- Monitor for data integrity anomalies in systems relying on field-delimited text processing
Monitoring Recommendations
- Enable detailed logging for data processing pipelines to capture intermediate output for validation
- Implement checksums or hash validation for critical data transformation workflows
- Set up alerting for unexpected binary characters in text-based data streams
- Conduct periodic audits of coreutils utility versions across infrastructure
How to Mitigate CVE-2026-35380
Immediate Actions Required
- Upgrade uutils coreutils to version 0.8.0 or later, which contains the fix for this vulnerability
- Review and audit existing scripts that use the cut utility with delimiter options
- Validate output from data processing pipelines that rely on the cut utility
- Consider temporarily using GNU coreutils as an alternative until upgrades are completed
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.8.0. The fix corrects the delimiter parsing logic to properly handle edge cases involving quote characters. Users should upgrade to this version or later to remediate the vulnerability. The patch details are available in the GitHub Pull Request #11399 and the fixed release can be obtained from the GitHub Release Tag 0.8.0.
Workarounds
- Avoid using the literal '' string as a delimiter argument with the cut utility
- Implement input validation in scripts to sanitize delimiter arguments before passing to cut
- Use alternative field-splitting utilities such as awk or sed for critical data processing tasks
- Add output validation steps to detect and flag potential data corruption from delimiter issues
# Verify uutils coreutils version to check vulnerability status
uutils --version
# Alternative: Use awk for field extraction as a workaround
# Instead of: cut -d ',' -f1 input.txt
awk -F',' '{print $1}' input.txt
# Validate output for unexpected NUL characters
cat processed_output.txt | od -c | grep '\\0'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
