CVE-2026-35343 - Vulnerability Details

- uutils coreutils cut Inconsistent Output Suppression with Newline Delimiters

Description

The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.

Published: 2026-04-22

Score: 3.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The cut utility in the uutils coreutils package incorrectly handles the -s option when a newline character is passed as the delimiter. The implementation does not check the only_delimited flag inside the cut_fields_newline_char_delim function, resulting in non-delimited lines being printed to output. This allows data that should be suppressed to flow to downstream processes, potentially exposing sensitive information that is not intended to be publicly visible.

Affected Systems

The affected product is the cut command provided by the uutils coreutils project. No specific version numbers are listed in the advisory, so all releases prior to the fix in the 0.7.0 release are considered vulnerable.

Risk and Exploitability

The CVSS score of 3.3 categorizes this issue as low severity. The EPSS score is < 1%, indicating a very low but non‑zero probability of exploitation. The vulnerability is not part of the CISA KEV catalog. Based on the description, it is inferred that the attack vector is local: an attacker who can run the cut utility with the vulnerable options on the target system or control a script that invokes it can cause unintended data leakage. Because the flaw only affects the output of a command that may be part of automated data processing pipelines, the impact is limited to confidentiality leakage rather than code execution or denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.8.0

Configuration 1 [-]

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

No data.

Vendor Product Confidence Versions

Uutils

Coreutils

100%

Version	Status	Scheme	Platform
`[0,0.8.0)`	affected	generic	['linux', 'unix', 'macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade uutils coreutils to version 0.7.0 or later, which contains the fix for the cut -s newline delimiter handling.
If an upgrade is not immediately possible, modify scripts that use cut to perform an additional check on the output or avoid using the -s option with a newline delimiter until the vulnerability is patched.
Add a secondary validation layer in downstream scripts to filter and validate cut output, ensuring that lines that should be suppressed are not propagated.

Generated by OpenCVE AI on April 28, 2026 at 08:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hj9r-8pfm-rmjj	uutils coreutils has an Issue With its Always-Incorrect Control Flow Implementation

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/11143
https://github.com/uutils/coreutils/releases/tag/0.7.0

History

Mon, 04 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:uutils:coreutils::::::rust::*

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uutils Uutils coreutils
Vendors & Products		Uutils Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.
Title		uutils coreutils cut Inconsistent Output Suppression with Newline Delimiters
Weaknesses		CWE-670
References		https://github.com/uutils/coreutils/pull/11143 https://github.com/uutils/coreutils/releases/tag/0.7.0
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Uutils Coreutils

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:07:44.261Z

Updated: 2026-04-22T18:05:43.468Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35343

Vulnrichment

Updated: 2026-04-22T18:05:38.350Z

NVD

Status : Analyzed

Published: 2026-04-22T17:16:36.357

Modified: 2026-05-04T20:10:47.587

Link: CVE-2026-35343

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T08:15:23Z

Weaknesses

CWE-670

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object