CVE-2026-35380
Logic Error in uutils coreutils cut Causes Data Corruption
Publication date: 2026-04-22
Last updated on: 2026-04-29
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes silent data corruption or logic errors in automated scripts and data pipelines that use the cut utility from uutils coreutils. Such data integrity issues could potentially impact compliance with standards and regulations that require accurate and reliable data processing, such as GDPR and HIPAA.
However, there is no direct information provided about specific impacts on compliance with these regulations.
Can you explain this vulnerability to me?
This vulnerability is a logic error in the cut utility of uutils coreutils. The program incorrectly interprets the literal two-byte string consisting of two single quotes ('') as an empty delimiter. Instead of treating it as the literal string, the implementation mistakenly maps it to the NUL character for both the -d (delimiter) and --output-delimiter options.
As a result, the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters, which can cause silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters.
How can this vulnerability impact me? :
This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines. Specifically, because the cut utility may incorrectly split or join data on NUL bytes instead of the intended literal two single quote characters, any processing of strings containing these characters could be corrupted without obvious signs.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the behavior of the `cut` command in uutils/coreutils when using the literal two-byte string `''` as a delimiter. Specifically, you can run a command that uses `cut` with the delimiter set to `''` and observe if it incorrectly processes the input without error.
- Run the following command to check if the vulnerability is present:
- printf ' a\x27\x27b\n ' | cut -d "''" -f1
If the command exits with status 0 and outputs `a''b`, it indicates the vulnerability is present because the delimiter is incorrectly treated as a NUL character, causing silent data corruption. In contrast, a secure implementation (like GNU coreutils) would exit with status 1 and output an error message stating the delimiter must be a single character.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the uutils/coreutils package to a version that includes the fix which rejects the special-casing of the literal `''` delimiter. This fix aligns the behavior with GNU coreutils and prevents the erroneous mapping to the NUL character.
Until the update is applied, avoid using the literal two-byte string `''` as a delimiter with the `cut` command in uutils/coreutils to prevent silent data corruption or logic errors in your scripts and data pipelines.