CVE-2026-35381
Description
A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | < 0.8.0 | 0.8.0 |
Affected products
1Patches
1483f13e91830cut: improve function signature
2 files changed · +17 −2
src/uu/cut/src/cut.rs+2 −2 modified@@ -260,9 +260,9 @@ fn cut_fields_newline_char_delim<R: Read, W: Write>( reader: R, out: &mut W, ranges: &[Range], - only_delimited: bool, newline_char: u8, out_delim: &[u8], + only_delimited: bool, ) -> UResult<()> { let mut reader = BufReader::new(reader); let mut line = Vec::new(); @@ -398,9 +398,9 @@ fn cut_fields<R: Read, W: Write>( reader, out, ranges, - field_opts.only_delimited, newline_char, out_delim, + field_opts.only_delimited, ) } Delimiter::Slice(delim) => {
tests/by-util/test_cut.rs+15 −0 modified@@ -229,6 +229,21 @@ fn test_zero_terminated_only_delimited() { .stdout_only("82\n7\0"); } +#[test] +fn test_suppresses_unterminated_segment() { + new_ucmd!() + .args(&["-z", "-d", "", "-s", "-f", "1"]) + .pipe_in("unterminated") + .succeeds() + .stdout_only_bytes(""); + + new_ucmd!() + .args(&["-z", "-d", "", "-s", "-f", "1"]) + .pipe_in("terminated\0unterminated") + .succeeds() + .stdout_only_bytes("terminated\0"); +} + #[test] fn test_is_a_directory() { let (at, mut ucmd) = at_and_ucmd!();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/uutils/coreutils/pull/11394nvdExploitIssue TrackingPatchWEB
- github.com/advisories/GHSA-532v-xp3f-837cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35381ghsaADVISORY
- github.com/uutils/coreutils/commit/483f13e91830c468262aa1e010e753d6ae99c898ghsaWEB
- github.com/uutils/coreutils/releases/tag/0.8.0nvdRelease NotesWEB
News mentions
1- Brush shell 0.4.0 tightens script safety, widens platform supportHelp Net Security · May 4, 2026