CVE-2026-35381

Description

A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils < 0.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-35381
# Demonstrates that uutils cut ignores -s flag with -z and -d ''

echo "Testing CVE-2026-35381..."

# Create a test file with data containing no delimiter (empty delimiter is used)
# Using printf to ensure NUL byte handling is clear if needed, though here we test the suppression.
# Input: "nodelim" followed by NUL

# Expected behavior (GNU coreutils): No output because -s suppresses lines without delimiters.
# Vulnerable behavior (uutils): Outputs "nodelim" + NUL byte.

printf "nodelim\0" | ./cut -s -z -d '' -f1

# If output is visible, the vulnerability is present.
echo "If 'nodelim' was printed above, the漏洞 is triggered."

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35381
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35381
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35381/
[4] VulDB https://vuldb.com/cve/CVE-2026-35381
[5] https://github.com/uutils/coreutils/pull/11394
[6] https://github.com/uutils/coreutils/releases/tag/0.8.0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35381", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:43.200", "lastModified": "2026-04-24T19:19:34.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-684"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.8.0", "matchCriteriaId": "2365DBBD-6F10-4651-8DA4-08AE79E14423"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11394", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}