CVE-2026-35381
Description
A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | < 0.8.0 | 0.8.0 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/uutils/coreutils/pull/11394nvdExploitIssue TrackingPatchWEB
- github.com/advisories/GHSA-532v-xp3f-837cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35381ghsaADVISORY
- github.com/uutils/coreutils/commit/483f13e91830c468262aa1e010e753d6ae99c898ghsaWEB
- github.com/uutils/coreutils/releases/tag/0.8.0nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.