The cut utility in uutils coreutils contains a logic flaw—an instance of CWE‑20 (improper input validation) and is also catalogued under NVD‑CWE‑noinfo—where the literal two‑byte string '' is misinterpreted as an empty delimiter, effectively mapping it to a NUL character for both the -d and --output-delimiter options. This misparsing can cause automated scripts and data pipelines that rely on precise delimiter behavior to silently corrupt data or produce incorrect output, leading to logic errors and potential data loss. Although it does not grant code execution, it undermines data integrity.

The vulnerability exists in the uutils coreutils cut command, affecting all installations that have not been updated to version 0.8.0 or later. The patch is included in the 0.8.0 release, so systems running earlier versions of uutils coreutils are at risk.

The CVSS base score of 5.5 indicates moderate severity. Classified as CWE‑20 (improper input validation) and listed under NVD‑CWE‑noinfo, an attacker would need to influence the input passed to cut, typically by running or modifying a script that uses the tool. The exploit does not require special privileges and can be triggered locally, but it does not lead to remote code execution. The EPSS score is <1% (0.0002), and the vulnerability is not listed in the CISA KEV, indicating it is not known to be widely exploited in the wild yet.