CVE-2026-35381: Input Sanitization and Logic Bypass in uutils coreutils cut Utility
Vulnerability ID: CVE-2026-35381
CVSS Score: 3.3
Published: 2026-07-06
A critical argument order mismatch in the Rust implementation of GNU coreutils (uutils/coreutils) causes the cut utility to ignore the only-delimited (-s) flag when zero-terminated (-z) and empty-delimiter (-d '') options are combined. This logic bypass allows unvalidated inputs to propagate downstream, presenting data integrity risks.
TL;DR
An argument mismatch in uutils cut causes the -s flag to be ignored when paired with -z and -d '', allowing malformed inputs to bypass stream sanitization filters.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-684
- Attack Vector: Local (AV:L)
- CVSS v3.1 Score: 3.3 (Low)
- EPSS Score: 0.00149 (0.15%)
- Impact: Data Integrity Bypass
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
Affected Systems
- uutils/coreutils cut utility version < 0.8.0
- Embedded environments or container images running rust-based coreutils implementations
-
uutils/coreutils: < 0.8.0 (Fixed in:
0.8.0)
Code Analysis
Commit: 483f13e
Fix argument order mismatch in cut_fields_newline_char_delim function signature inside src/uu/cut/src/cut.rs
@@ -260,9 +260,9 @@ fn cut_fields_newline_char_delim<R: Read, W: Write>(
reader: R,
out: &mut W,
ranges: &[Range],
- only_delimited: bool,
newline_char: u8,
out_delim: &[u8],
+ only_delimited: bool,
) -> UResult<()> {
let mut reader = BufReader::new(reader);
let mut line = Vec::new();
Exploit Details
- GitHub: Pull Request detailing the logic bypass and exact replication commands.
Mitigation Strategies
- Upgrade to uutils/coreutils 0.8.0 or newer.
- Avoid using combined -z, -d '', and -s configurations in legacy deployments.
- Implement pre-validation steps using grep -z before data processing.
Remediation Steps:
- Identify all installations of uutils/coreutils across application servers and container base images.
- Update the packages via the respective system package manager (e.g., apt-get install --only-upgrade uutils-coreutils) or cargo install coreutils --locked --force.
- Audit automated shell pipelines for pattern sequences matching 'cut -z -d "" -s' or 'cut -z -d \'\' -s'.
- Implement input sanitization fallbacks where immediate software updates are restricted by change controls.
References
- CVE-2026-35381 Record
- Official Fix Commit
- Fix Pull Request #11394
- uutils/coreutils v0.8.0 Release Notes
Read the full report for CVE-2026-35381 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)