CVE-2026-35381 Overview
A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data.
Critical Impact
Automated data processing pipelines using uutils coreutils cut with the -s -z -d '' option combination may experience data integrity issues due to incorrect output, potentially causing downstream processing failures or data corruption.
Affected Products
- uutils coreutils (versions prior to 0.8.0)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35381 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35381
Vulnerability Analysis
This vulnerability is classified under CWE-684 (Incorrect Provision of Specified Functionality). The issue stems from a logic error in how the cut utility processes command-line flag combinations. When a user specifies -s (suppress lines without delimiters), -z (use NUL as line terminator), and -d '' (empty delimiter) together, the implementation fails to honor the -s flag's intended behavior.
The root cause lies in the code path selection logic within the cut utility. Instead of properly evaluating the suppression flag when processing null-terminated records with an empty delimiter, the code incorrectly routes execution through a specialized newline-delimiter handling path. This path lacks the necessary check for the record suppression status, causing undelimited records to be output when they should be filtered.
Root Cause
The vulnerability originates from improper conditional logic in the cut utility's input processing routines. The specialized code path designed to handle newline delimiters is incorrectly invoked when the combination of -z and -d '' options is used. This code path bypasses the suppression status check that would normally filter out records lacking the specified delimiter.
Attack Vector
This is a local vulnerability requiring the attacker to have local access to execute the affected cut command. The attack vector involves crafting input data that exploits the flag handling logic error, causing the utility to output data that should have been suppressed. While the integrity impact is limited, it can affect automated pipelines that depend on consistent filtering behavior between GNU coreutils and uutils coreutils implementations.
The vulnerability manifests when using the specific option combination -s -z -d ''. In this scenario, records that do not contain the empty delimiter should be suppressed according to the -s flag, but instead they are output in their entirety with an appended NUL byte. For detailed technical information about the fix implementation, see the GitHub Pull Request Discussion.
Detection Methods for CVE-2026-35381
Indicators of Compromise
- Unexpected output from cut commands using the -s -z -d '' option combination
- Downstream processing failures in pipelines that depend on filtered cut output
- Data inconsistencies when comparing results between GNU coreutils and uutils coreutils
Detection Strategies
- Audit shell scripts and automated pipelines for usage of uutils coreutils cut with the problematic flag combination
- Compare output behavior between affected uutils coreutils versions and GNU coreutils reference implementation
- Implement validation checks on cut output to verify expected filtering behavior
Monitoring Recommendations
- Monitor data processing pipelines for unexpected output size variations that may indicate suppression failure
- Implement logging for cut command invocations with the -s flag to track potential affected operations
- Review automated job logs for downstream processing errors that may correlate with this behavior divergence
How to Mitigate CVE-2026-35381
Immediate Actions Required
- Upgrade uutils coreutils to version 0.8.0 or later, which contains the fix for this logic error
- Review automated pipelines and scripts for usage of the -s -z -d '' option combination
- Temporarily substitute GNU coreutils cut for affected operations if upgrade is not immediately possible
- Validate critical pipeline outputs to ensure data integrity has not been compromised
Patch Information
The fix for this vulnerability is included in uutils coreutils version 0.8.0. Users should upgrade to this version or later to resolve the logic error. The patch corrects the code path selection to properly evaluate the suppression flag when handling null-terminated records with empty delimiters. For more details, see the GitHub Release Version 0.8.0.
Workarounds
- Use GNU coreutils cut instead of uutils coreutils for operations requiring the -s -z -d '' combination
- Implement post-processing validation to filter out incorrectly emitted records
- Avoid using the empty delimiter option in combination with null-termination and suppression flags until upgrade is complete
# Verify uutils coreutils version
uu-cut --version
# Upgrade to patched version (example using cargo)
cargo install coreutils --version ">=0.8.0"
# Alternative: Use GNU coreutils cut explicitly if available
/usr/bin/cut -s -z -d '' -f1 input_file
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
