Jul 6, 2026·7 min read·5 visits
A logic error and parameter-ordering mismatch in the cut utility of Rust-written uutils coreutils causes the -s flag to be ignored when used alongside -z and -d ''. This allows undelimited data to bypass suppression filters, presenting a data integrity and parsing injection risk.
A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.
The vulnerability designated as CVE-2026-35381 represents a logical failure within the field-extraction processing of the cut utility in the Rust-written uutils coreutils implementation. This flaw manifests uniquely when the program is executed with the zero-terminated input flag (-z or --zero-terminated), an empty string delimiter (-d ''), and the suppress undelimited records flag (-s or --only-delimited). Under expected GNU-compliant behavior, any input records that do not contain the specified field delimiter must be completely suppressed and dropped from the output stream.
In vulnerable versions of uutils coreutils prior to 0.8.0, this validation step is completely bypassed when processing empty delimiters in null-terminated inputs. The program instead preserves the entire malformed or non-delimited line and writes it directly to standard output, appending a trailing null byte. This behavior diverges significantly from standard POSIX and GNU behaviors, which correctly identify that the record lacks the empty delimiter and suppress the line entirely.
The root cause of this divergence is situated inside the uu_cut crate's field formatting modules, which route execution through specialized codepaths depending on the configuration of runtime parameters. When handling zero-terminated lines with an empty delimiter, the internal function responsible for output formatting receives mismatched configuration states. Consequently, the utility operates as if the suppression flag were absent, forwarding unfiltered content downstream.
The underlying technical flaw stems from a parameter-ordering mismatch between the caller implementation and the target function definition of cut_fields_newline_char_delim in the uu_cut module. The utility relies on an internal dispatcher pattern to route execution to optimal string-processing routines. When the input configuration utilizes null-bytes as terminators (-z) and specifies an empty string as a delimiter (-d ''), the program maps the execution path to Delimiter::Slice(delim) which subsequently delegates processing to cut_fields_newline_char_delim.
During this execution routing, the parameters passed by the router did not align with the formal arguments defined in the callee function signature. Specifically, the boolean state mapping the only_delimited configuration was loaded into the fourth position of the argument list at the call site. However, the function definition expected a different parameter layout, which led to incorrect register mapping or variable translation during the dynamic evaluation of the routine.
Because the compiled execution flow misaligned the boolean argument, the value of only_delimited inside the target function was evaluated as false, regardless of whether the user provided the -s flag on the command line. Consequently, the utility skipped the logic branches responsible for validating the presence of a delimiter character inside the record. As a result, the tool emitted every unparsed record to the standard output stream, rendering the suppression control completely ineffective.
A detailed review of the patch applied to the upstream repository reveals how the parameter alignment issue was introduced and corrected. In the vulnerable version of src/uu/cut/src/cut.rs, the function signature for cut_fields_newline_char_delim expected the only_delimited parameter as its fourth argument. However, helper calls and internal abstraction layers led to state misalignment, causing the boolean value to be read incorrectly at runtime.
// Vulnerable function definition signature in cut.rs
fn cut_fields_newline_char_delim<R: Read, W: Write>(
reader: R,
out: &mut W,
ranges: &[Range],
only_delimited: bool, // Mapped as the 4th parameter
newline_char: u8,
out_delim: &[u8],
) -> UResult<()> { ... }To resolve this structural error, the developers relocated the only_delimited boolean flag to the final argument slot in both the function definition and the corresponding dispatch invocations. This layout ensures that the compiler enforces consistent type-safe stack offsets when resolving the argument positions.
// Patched function definition signature in cut.rs
fn cut_fields_newline_char_delim<R: Read, W: Write>(
reader: R,
out: &mut W,
ranges: &[Range],
newline_char: u8,
out_delim: &[u8],
only_delimited: bool, // Correctly moved to the end of the signature
) -> UResult<()> { ... }The corresponding fix was applied to the caller inside the cut_fields dispatcher, ensuring that field_opts.only_delimited is supplied at the trailing end of the invocation. This synchronization forces the Rust compiler to correctly link the user-supplied command line boolean option with the runtime validation loop within the character-based parser, enabling proper suppression behavior.
Exploitation of CVE-2026-35381 relies on logical manipulation of input boundaries within automated execution contexts. An attacker does not require elevated privileges or complex memory payload construction to trigger the vulnerability. Instead, the threat model involves scenarios where administrators construct processing pipelines that rely on cut to filter and sanitize untrusted inputs.
For example, an administrative workflow might ingest automated system logs containing mixed formatted outputs. The workflow uses cut -z -d "" -s -f 1 to drop any lines that fail to conform to a strict delimited formatting structure. By feeding a custom record that contains zero delimiters, an attacker forces the vulnerable utility to output the record instead of dropping it.
# Standard validation expectation (GNU behavior drops this input)
# Vulnerable uutils behavior prints the string
printf "untrusted_malicious_record" | uutils-cut -z -d "" -s -f 1The vulnerability causes the untrusted record to propagate down the pipeline. If the downstream component is an administrative parser, interpreter, or system utility that expects only sanitized fields, the unchecked injection of the malformed record can trigger secondary injection, parameter manipulation, or directory traversal depending on the downstream script's logic.
The severity of CVE-2026-35381 is classified as low, carrying a CVSS v3.1 base score of 3.3. This assessment factors in the requirement for local access and the specific execution parameters needed to trigger the logical flaw. Despite the low base score, the operational risk remains notable in automated environments using modern containerized applications written in Rust.
As organizations transition infrastructure from traditional GNU utilities to memory-safe alternatives like uutils coreutils, automated bash or python shell pipelines are often migrated directly. Differences in logical behaviors between GNU and Rust-written utilities break assumptions in existing security boundaries. If system scripts rely on the suppression guarantees of cut -s to enforce safety controls, the failure to suppress malformed records can result in unauthorized logical bypasses.
At present, there is no evidence of active exploitation of this vulnerability in the wild, and the EPSS score remains extremely low. The primary impact is categorized as low integrity degradation, as it leads to unexpected output formatting rather than remote execution or direct memory corruption. Nonetheless, maintaining package synchronization with fixed releases is essential to avoid potential parsing errors in high-criticality automation environments.
To remediate CVE-2026-35381, system administrators and developers must upgrade uutils coreutils to version 0.8.0 or later. If managing individual crate dependencies within Rust applications, update the uu_cut crate directly to version 0.2.2 or later. These versions incorporate the corrected parameter layout and include dedicated unit tests to prevent regression.
In environments where upgrading packages is blocked by change-management restrictions, a robust workaround is to sanitize inputs using independent utilities before feeding them to cut. Using helper tools like awk or grep to filter out records that do not contain the intended delimiter ensures that cut only handles conforming input blocks.
# Safe alternative: Filter out undelimited lines before cut processing
tr '\0' '\n' | grep -F "" | tr '\n' '\0' | cut -z -d "" -s -f 1To verify whether a target system is vulnerable, execute a probe using an undelimited test sequence. Run printf "test_string" | uutils-cut -z -d "" -s -f 1 on the command line. A vulnerable installation will output test_string\0 to the terminal, whereas a secured or patched installation will output absolutely nothing.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
uutils coreutils uutils | < 0.8.0 | 0.8.0 |
uu_cut uutils | < 0.2.2 | 0.2.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-684 (Incorrect Provision of Specified Functionality) |
| Attack Vector | Local (AV:L) |
| CVSS Score | 3.3 |
| EPSS Score | 0.00149 |
| Impact | Low Integrity Impact |
| Exploit Status | none/theoretical |
| KEV Status | Not Listed |
The system does not complete or perform the required actions to supply the standard behavior of the tool, resulting in functional bypasses.
CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.
A security permission bypass vulnerability exists in the mknod utility of uutils coreutils on Linux systems utilizing SELinux. The utility fails to atomically assign SELinux security contexts during special file creation. When assignment fails, the program attempts cleanup using an incorrect file system API, which fails silently. This leaves mislabeled, orphaned special files on disk with potentially weaker default inherited permissions.
CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.
A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.
An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.
CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.