CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-35381

CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility

Alon Barad
Alon Barad
Software Engineer

Jul 6, 2026·7 min read·5 visits

Executive Summary (TL;DR)

A logic error and parameter-ordering mismatch in the cut utility of Rust-written uutils coreutils causes the -s flag to be ignored when used alongside -z and -d ''. This allows undelimited data to bypass suppression filters, presenting a data integrity and parsing injection risk.

A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.

Vulnerability Overview

The vulnerability designated as CVE-2026-35381 represents a logical failure within the field-extraction processing of the cut utility in the Rust-written uutils coreutils implementation. This flaw manifests uniquely when the program is executed with the zero-terminated input flag (-z or --zero-terminated), an empty string delimiter (-d ''), and the suppress undelimited records flag (-s or --only-delimited). Under expected GNU-compliant behavior, any input records that do not contain the specified field delimiter must be completely suppressed and dropped from the output stream.

In vulnerable versions of uutils coreutils prior to 0.8.0, this validation step is completely bypassed when processing empty delimiters in null-terminated inputs. The program instead preserves the entire malformed or non-delimited line and writes it directly to standard output, appending a trailing null byte. This behavior diverges significantly from standard POSIX and GNU behaviors, which correctly identify that the record lacks the empty delimiter and suppress the line entirely.

The root cause of this divergence is situated inside the uu_cut crate's field formatting modules, which route execution through specialized codepaths depending on the configuration of runtime parameters. When handling zero-terminated lines with an empty delimiter, the internal function responsible for output formatting receives mismatched configuration states. Consequently, the utility operates as if the suppression flag were absent, forwarding unfiltered content downstream.

Root Cause Analysis

The underlying technical flaw stems from a parameter-ordering mismatch between the caller implementation and the target function definition of cut_fields_newline_char_delim in the uu_cut module. The utility relies on an internal dispatcher pattern to route execution to optimal string-processing routines. When the input configuration utilizes null-bytes as terminators (-z) and specifies an empty string as a delimiter (-d ''), the program maps the execution path to Delimiter::Slice(delim) which subsequently delegates processing to cut_fields_newline_char_delim.

During this execution routing, the parameters passed by the router did not align with the formal arguments defined in the callee function signature. Specifically, the boolean state mapping the only_delimited configuration was loaded into the fourth position of the argument list at the call site. However, the function definition expected a different parameter layout, which led to incorrect register mapping or variable translation during the dynamic evaluation of the routine.

Because the compiled execution flow misaligned the boolean argument, the value of only_delimited inside the target function was evaluated as false, regardless of whether the user provided the -s flag on the command line. Consequently, the utility skipped the logic branches responsible for validating the presence of a delimiter character inside the record. As a result, the tool emitted every unparsed record to the standard output stream, rendering the suppression control completely ineffective.

Code Analysis and Comparison

A detailed review of the patch applied to the upstream repository reveals how the parameter alignment issue was introduced and corrected. In the vulnerable version of src/uu/cut/src/cut.rs, the function signature for cut_fields_newline_char_delim expected the only_delimited parameter as its fourth argument. However, helper calls and internal abstraction layers led to state misalignment, causing the boolean value to be read incorrectly at runtime.

// Vulnerable function definition signature in cut.rs
fn cut_fields_newline_char_delim<R: Read, W: Write>(
    reader: R,
    out: &mut W,
    ranges: &[Range],
    only_delimited: bool, // Mapped as the 4th parameter
    newline_char: u8,
    out_delim: &[u8],
) -> UResult<()> { ... }

To resolve this structural error, the developers relocated the only_delimited boolean flag to the final argument slot in both the function definition and the corresponding dispatch invocations. This layout ensures that the compiler enforces consistent type-safe stack offsets when resolving the argument positions.

// Patched function definition signature in cut.rs
fn cut_fields_newline_char_delim<R: Read, W: Write>(
    reader: R,
    out: &mut W,
    ranges: &[Range],
    newline_char: u8,
    out_delim: &[u8],
    only_delimited: bool, // Correctly moved to the end of the signature
) -> UResult<()> { ... }

The corresponding fix was applied to the caller inside the cut_fields dispatcher, ensuring that field_opts.only_delimited is supplied at the trailing end of the invocation. This synchronization forces the Rust compiler to correctly link the user-supplied command line boolean option with the runtime validation loop within the character-based parser, enabling proper suppression behavior.

Exploitation and Attack Vector

Exploitation of CVE-2026-35381 relies on logical manipulation of input boundaries within automated execution contexts. An attacker does not require elevated privileges or complex memory payload construction to trigger the vulnerability. Instead, the threat model involves scenarios where administrators construct processing pipelines that rely on cut to filter and sanitize untrusted inputs.

For example, an administrative workflow might ingest automated system logs containing mixed formatted outputs. The workflow uses cut -z -d "" -s -f 1 to drop any lines that fail to conform to a strict delimited formatting structure. By feeding a custom record that contains zero delimiters, an attacker forces the vulnerable utility to output the record instead of dropping it.

# Standard validation expectation (GNU behavior drops this input)
# Vulnerable uutils behavior prints the string
printf "untrusted_malicious_record" | uutils-cut -z -d "" -s -f 1

The vulnerability causes the untrusted record to propagate down the pipeline. If the downstream component is an administrative parser, interpreter, or system utility that expects only sanitized fields, the unchecked injection of the malformed record can trigger secondary injection, parameter manipulation, or directory traversal depending on the downstream script's logic.

Impact Assessment

The severity of CVE-2026-35381 is classified as low, carrying a CVSS v3.1 base score of 3.3. This assessment factors in the requirement for local access and the specific execution parameters needed to trigger the logical flaw. Despite the low base score, the operational risk remains notable in automated environments using modern containerized applications written in Rust.

As organizations transition infrastructure from traditional GNU utilities to memory-safe alternatives like uutils coreutils, automated bash or python shell pipelines are often migrated directly. Differences in logical behaviors between GNU and Rust-written utilities break assumptions in existing security boundaries. If system scripts rely on the suppression guarantees of cut -s to enforce safety controls, the failure to suppress malformed records can result in unauthorized logical bypasses.

At present, there is no evidence of active exploitation of this vulnerability in the wild, and the EPSS score remains extremely low. The primary impact is categorized as low integrity degradation, as it leads to unexpected output formatting rather than remote execution or direct memory corruption. Nonetheless, maintaining package synchronization with fixed releases is essential to avoid potential parsing errors in high-criticality automation environments.

Remediation and Verification

To remediate CVE-2026-35381, system administrators and developers must upgrade uutils coreutils to version 0.8.0 or later. If managing individual crate dependencies within Rust applications, update the uu_cut crate directly to version 0.2.2 or later. These versions incorporate the corrected parameter layout and include dedicated unit tests to prevent regression.

In environments where upgrading packages is blocked by change-management restrictions, a robust workaround is to sanitize inputs using independent utilities before feeding them to cut. Using helper tools like awk or grep to filter out records that do not contain the intended delimiter ensures that cut only handles conforming input blocks.

# Safe alternative: Filter out undelimited lines before cut processing
tr '\0' '\n' | grep -F "" | tr '\n' '\0' | cut -z -d "" -s -f 1

To verify whether a target system is vulnerable, execute a probe using an undelimited test sequence. Run printf "test_string" | uutils-cut -z -d "" -s -f 1 on the command line. A vulnerable installation will output test_string\0 to the terminal, whereas a secured or patched installation will output absolutely nothing.

Official Patches

uutilsPull Request #11394 containing the logic correction for cut

Fix Analysis (1)

Technical Appendix

CVSS Score
3.3/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Probability
0.15%
Top 96% most exploited

Affected Systems

Linux distributions packaging uutils coreutilsRust applications utilizing the uu_cut library crate

Affected Versions Detail

Product
Affected Versions
Fixed Version
uutils coreutils
uutils
< 0.8.00.8.0
uu_cut
uutils
< 0.2.20.2.2
AttributeDetail
CWE IDCWE-684 (Incorrect Provision of Specified Functionality)
Attack VectorLocal (AV:L)
CVSS Score3.3
EPSS Score0.00149
ImpactLow Integrity Impact
Exploit Statusnone/theoretical
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
CWE-684
Incorrect Provision of Specified Functionality

The system does not complete or perform the required actions to supply the standard behavior of the tool, resulting in functional bypasses.

References & Sources

  • [1]CVE-2026-35381 Record on CVE.org
  • [2]National Vulnerability Database CVE-2026-35381 Detail
  • [3]uutils coreutils v0.8.0 Release Page
  • [4]Wiz Vulnerability Database - CVE-2026-35381

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•3 minutes ago•CVE-2026-35341
7.1

CVE-2026-35341: Local Privilege Escalation and Permission Degradation in uutils coreutils mkfifo

CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.

Alon Barad
Alon Barad
0 views•7 min read
•34 minutes ago•CVE-2026-35361
3.4

CVE-2026-35361: Security Permission Bypass via Improper File Cleanup in uutils coreutils mknod

A security permission bypass vulnerability exists in the mknod utility of uutils coreutils on Linux systems utilizing SELinux. The utility fails to atomically assign SELinux security contexts during special file creation. When assignment fails, the program attempts cleanup using an incorrect file system API, which fails silently. This leaves mislabeled, orphaned special files on disk with potentially weaker default inherited permissions.

Amit Schendel
Amit Schendel
1 views•9 min read
•about 2 hours ago•CVE-2026-55792
6.0

CVE-2026-55792: Sensitive File Disclosure in Craft CMS via Twig Sandbox Bypass

CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 3 hours ago•CVE-2026-35366
4.4

CVE-2026-35366: Security Inspection Bypass in uutils coreutils printenv via non-UTF-8 Environment Variables

A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.

Alon Barad
Alon Barad
5 views•6 min read
•about 3 hours ago•GHSA-X76W-8C62-48MG
4.3

GHSA-X76W-8C62-48MG: Missing Authorization in Craft CMS AssetsController Leads to Private Asset Disclosure

An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.

Alon Barad
Alon Barad
4 views•6 min read
•about 4 hours ago•CVE-2026-35371
3.3

CVE-2026-35371: Logical Identity Spoofing in uutils coreutils id Utility

CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.

Alon Barad
Alon Barad
6 views•9 min read