A logic error in the uutils coreutils cut command causes the -s (only-delimited) flag to be ignored when the command is invoked with both the -z (null-terminated) option and an empty delimiter with -d ''. The code wrongly routes this specific flag combination through a newline‑delimiter code path that does not honour the record‑suppression setting. As a result, cut emits the full record followed by a NUL byte instead of discarding undelimited data, diverging from the behavior of the GNU coreutils implementation. This behavior introduces a data‑integrity risk for automated pipelines that depend on cut -s to filter out malformed or undelimited input, potentially causing downstream errors or security misconfigurations. The weakness is a logic flaw (CWE‑684).

The uutils coreutils suite, specifically the cut utility, is affected. All releases prior to the 0.8.0 tag, which contains the fix, are vulnerable. The issue is triggered only when the command is invoked with the -z option, an empty delimiter via -d '', and the -s flag simultaneously. Users should audit any scripts or pipelines that employ this flag combination to determine whether they are running a vulnerable version.

The CVSS score of 3.3 indicates a low severity vulnerability. The EPSS score is less than 1%, suggesting a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is local execution, requiring the attacker to run the cut command within a target system that trusts its output. Exploitation would involve supplying crafted input to a pipeline that incorporates cut's output. While remote code execution is not possible, the data‑integrity breach could lead to downstream operational failures or subtle security misconfigurations in automated ingestion processes.