DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35381: CVE-2026-35381: Input Sanitization and Logic Bypass in uutils coreutils cut Utility

CVE-2026-35381: Input Sanitization and Logic Bypass in uutils coreutils cut Utility

Vulnerability ID: CVE-2026-35381
CVSS Score: 3.3
Published: 2026-07-06

A critical argument order mismatch in the Rust implementation of GNU coreutils (uutils/coreutils) causes the cut utility to ignore the only-delimited (-s) flag when zero-terminated (-z) and empty-delimiter (-d '') options are combined. This logic bypass allows unvalidated inputs to propagate downstream, presenting data integrity risks.

TL;DR

An argument mismatch in uutils cut causes the -s flag to be ignored when paired with -z and -d '', allowing malformed inputs to bypass stream sanitization filters.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-684
  • Attack Vector: Local (AV:L)
  • CVSS v3.1 Score: 3.3 (Low)
  • EPSS Score: 0.00149 (0.15%)
  • Impact: Data Integrity Bypass
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • uutils/coreutils cut utility version < 0.8.0
  • Embedded environments or container images running rust-based coreutils implementations
  • uutils/coreutils: < 0.8.0 (Fixed in: 0.8.0)

Code Analysis

Commit: 483f13e

Fix argument order mismatch in cut_fields_newline_char_delim function signature inside src/uu/cut/src/cut.rs

@@ -260,9 +260,9 @@ fn cut_fields_newline_char_delim<R: Read, W: Write>(
     reader: R,
     out: &mut W,
     ranges: &[Range],
-    only_delimited: bool,
     newline_char: u8,
     out_delim: &[u8],
+    only_delimited: bool,
 ) -> UResult<()> {
     let mut reader = BufReader::new(reader);
     let mut line = Vec::new();
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Pull Request detailing the logic bypass and exact replication commands.

Mitigation Strategies

  • Upgrade to uutils/coreutils 0.8.0 or newer.
  • Avoid using combined -z, -d '', and -s configurations in legacy deployments.
  • Implement pre-validation steps using grep -z before data processing.

Remediation Steps:

  1. Identify all installations of uutils/coreutils across application servers and container base images.
  2. Update the packages via the respective system package manager (e.g., apt-get install --only-upgrade uutils-coreutils) or cargo install coreutils --locked --force.
  3. Audit automated shell pipelines for pattern sequences matching 'cut -z -d "" -s' or 'cut -z -d \'\' -s'.
  4. Implement input sanitization fallbacks where immediate software updates are restricted by change controls.

References


Read the full report for CVE-2026-35381 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)