Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35381

CVE-2026-35381: uutils coreutils Information Disclosure

CVE-2026-35381 is an information disclosure flaw in uutils coreutils cut utility that causes incorrect handling of the -s flag with -z and -d options, exposing unfiltered data in automated pipelines. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-35381 Overview

A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data.

Critical Impact

Automated data processing pipelines using uutils coreutils cut with the -s -z -d '' option combination may experience data integrity issues due to incorrect output, potentially causing downstream processing failures or data corruption.

Affected Products

  • uutils coreutils (versions prior to 0.8.0)

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-35381 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35381

Vulnerability Analysis

This vulnerability is classified under CWE-684 (Incorrect Provision of Specified Functionality). The issue stems from a logic error in how the cut utility processes command-line flag combinations. When a user specifies -s (suppress lines without delimiters), -z (use NUL as line terminator), and -d '' (empty delimiter) together, the implementation fails to honor the -s flag's intended behavior.

The root cause lies in the code path selection logic within the cut utility. Instead of properly evaluating the suppression flag when processing null-terminated records with an empty delimiter, the code incorrectly routes execution through a specialized newline-delimiter handling path. This path lacks the necessary check for the record suppression status, causing undelimited records to be output when they should be filtered.

Root Cause

The vulnerability originates from improper conditional logic in the cut utility's input processing routines. The specialized code path designed to handle newline delimiters is incorrectly invoked when the combination of -z and -d '' options is used. This code path bypasses the suppression status check that would normally filter out records lacking the specified delimiter.

Attack Vector

This is a local vulnerability requiring the attacker to have local access to execute the affected cut command. The attack vector involves crafting input data that exploits the flag handling logic error, causing the utility to output data that should have been suppressed. While the integrity impact is limited, it can affect automated pipelines that depend on consistent filtering behavior between GNU coreutils and uutils coreutils implementations.

The vulnerability manifests when using the specific option combination -s -z -d ''. In this scenario, records that do not contain the empty delimiter should be suppressed according to the -s flag, but instead they are output in their entirety with an appended NUL byte. For detailed technical information about the fix implementation, see the GitHub Pull Request Discussion.

Detection Methods for CVE-2026-35381

Indicators of Compromise

  • Unexpected output from cut commands using the -s -z -d '' option combination
  • Downstream processing failures in pipelines that depend on filtered cut output
  • Data inconsistencies when comparing results between GNU coreutils and uutils coreutils

Detection Strategies

  • Audit shell scripts and automated pipelines for usage of uutils coreutils cut with the problematic flag combination
  • Compare output behavior between affected uutils coreutils versions and GNU coreutils reference implementation
  • Implement validation checks on cut output to verify expected filtering behavior

Monitoring Recommendations

  • Monitor data processing pipelines for unexpected output size variations that may indicate suppression failure
  • Implement logging for cut command invocations with the -s flag to track potential affected operations
  • Review automated job logs for downstream processing errors that may correlate with this behavior divergence

How to Mitigate CVE-2026-35381

Immediate Actions Required

  • Upgrade uutils coreutils to version 0.8.0 or later, which contains the fix for this logic error
  • Review automated pipelines and scripts for usage of the -s -z -d '' option combination
  • Temporarily substitute GNU coreutils cut for affected operations if upgrade is not immediately possible
  • Validate critical pipeline outputs to ensure data integrity has not been compromised

Patch Information

The fix for this vulnerability is included in uutils coreutils version 0.8.0. Users should upgrade to this version or later to resolve the logic error. The patch corrects the code path selection to properly evaluate the suppression flag when handling null-terminated records with empty delimiters. For more details, see the GitHub Release Version 0.8.0.

Workarounds

  • Use GNU coreutils cut instead of uutils coreutils for operations requiring the -s -z -d '' combination
  • Implement post-processing validation to filter out incorrectly emitted records
  • Avoid using the empty delimiter option in combination with null-termination and suppression flags until upgrade is complete
bash
# Verify uutils coreutils version
uu-cut --version

# Upgrade to patched version (example using cargo)
cargo install coreutils --version ">=0.8.0"

# Alternative: Use GNU coreutils cut explicitly if available
/usr/bin/cut -s -z -d '' -f1 input_file

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.