Security Vulnerability Report
中文
CVE-2026-35343 CVSS 3.3 LOW

CVE-2026-35343

Published: 2026-04-22 17:16:36
Last Modified: 2026-05-04 20:10:48
Source: [email protected]

Description

The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.

CVSS Details

CVSS Score
3.3
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:* - VULNERABLE
uutils coreutils < 0.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Create a test file where the first line does not end with a newline echo -n "line_without_newline" > poc.txt echo "line_with_newline" >> poc.txt # Run uutils cut with -s (suppress lines without delimiter) and newline as delimiter # Expected: Only "line_with_newline" should be printed # Vulnerable behavior: Both lines are printed uutils-cut -d $'\n' -f 1 -s poc.txt

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35343", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:36.357", "lastModified": "2026-05-04T20:10:47.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-670"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.7.0", "matchCriteriaId": "7F64F6A4-00A5-4FB8-BB51-21F475C11FF2"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11143", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.7.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.