CVE-2026-35381
Logic Error in uutils cut Causes Data Integrity Risk
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-684 | The code does not function according to its published specifications, potentially leading to incorrect usage. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in the cut utility of uutils coreutils. Specifically, when the -s (only-delimited) flag is used together with the -z (null-terminated) and -d '' (empty delimiter) options, the utility incorrectly processes the input. Instead of suppressing records that do not contain delimiters as expected, it emits the entire record plus a NUL byte. This happens because the implementation routes this combination through a code path meant for newline delimiters, which does not check whether to suppress the record.
As a result, the behavior diverges from the expected GNU coreutils behavior, potentially causing data integrity issues in automated pipelines that rely on cut -s to filter out undelimited data.
How can this vulnerability impact me? :
This vulnerability can impact you by causing data integrity risks in automated data processing pipelines. If your workflows depend on the cut utility with the -s flag to suppress undelimited records, this flaw may cause those records to be included incorrectly. This could lead to incorrect data being processed or passed along, potentially affecting the accuracy and reliability of your data handling.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the uutils coreutils cut utility causes it to incorrectly emit undelimited records instead of suppressing them when using certain flag combinations. This behavior creates a data integrity risk for automated pipelines that rely on the cut -s flag to filter out undelimited data.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the data integrity risk introduced by this vulnerability could potentially impact compliance efforts. Automated data processing pipelines that depend on accurate filtering might inadvertently process or expose unintended data, which could lead to violations of data protection or privacy regulations if sensitive data is mishandled.
However, there is no direct information provided linking this vulnerability to specific compliance failures or regulatory breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the behavior of the uutils/coreutils cut utility when using the combination of flags -z (null-terminated), -d '' (empty delimiter), and -s (only-delimited). Specifically, you can check if cut incorrectly outputs undelimited records instead of suppressing them.
A suggested command to detect the issue is:
- printf ' abc ' | cut -z -d ' ' -s -f 1 | od -An -tx1
In a vulnerable version of uutils/coreutils, this command outputs the bytes corresponding to "abc" plus a NUL byte (61 62 63 00), whereas in GNU coreutils it produces no output, indicating correct suppression of undelimited records.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update uutils/coreutils to a version that includes the fix merged on March 20, 2026, which correctly honors the -s flag when used with -z and an empty delimiter.
Until the update is applied, avoid using the combination of -z, -d '', and -s flags together in cut commands within automated pipelines, as this can cause data integrity issues.