CVE-2026-35380 - Vulnerability Details

- uutils coreutils cut Local Logic Error and Data Integrity Issue in Delimiter Parsing

Description

A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.

Published: 2026-04-22

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The cut utility in uutils coreutils contains a logic flaw—an instance of CWE-20, improper input validation—where the literal two‑byte string '' is misinterpreted as an empty delimiter, effectively mapping it to a NUL character for both the -d and --output-delimiter options. This misparsing can cause automated scripts and data pipelines that rely on precise delimiter behavior to silently corrupt data or produce incorrect output, leading to logic errors and potential data loss. Although it does not grant code execution, it undermines data integrity.

Affected Systems

The vulnerability exists in the uutils coreutils cut command, affecting all installations that have not been updated to version 0.8.0 or later. The patch is included in the 0.8.0 release, so systems running earlier versions of uutils coreutils are at risk.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity. An attacker would need to influence the input passed to cut, typically by running or modifying a script that uses the tool. The exploit does not require special privileges and can be triggered locally, but it does not lead to remote code execution. The EPSS score is not available and the vulnerability is not listed in the CISA KEV, meaning it is not known to be widely exploited in the wild yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.8.0

No data.

Vendor Product Confidence Versions

Uutils

Coreutils

100%

Version	Status	Scheme	Platform
`[0,0.8.0)`	affected	semver	['linux', 'unix', 'macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade uutils coreutils to version 0.8.0 or later where the logic error is corrected.
Audit any automated scripts or data pipelines that use cut with the literal "" delimiter to ensure they no longer rely on this misparsing behavior.
Modify or replace problematic cut calls with safer delimiters or an alternative method to prevent silent data corruption.

Generated by OpenCVE AI on April 27, 2026 at 08:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/11399
https://github.com/uutils/coreutils/releases/tag/0.8.0

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uutils Uutils coreutils
Vendors & Products		Uutils Uutils coreutils

Wed, 22 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.
Title		uutils coreutils cut Local Logic Error and Data Integrity Issue in Delimiter Parsing
Weaknesses		CWE-20
References		https://github.com/uutils/coreutils/pull/11399 https://github.com/uutils/coreutils/releases/tag/0.8.0
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Uutils Coreutils

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:09:19.726Z

Updated: 2026-04-22T16:57:53.616Z

Reserved: 2026-04-02T12:58:56.089Z

Link: CVE-2026-35380

Vulnrichment

Updated: 2026-04-22T16:57:48.221Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:43.047

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35380

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T19:53:24Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object