Description

A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.

INFO

Published Date :

2026-04-22T16:09:19.726Z

Last Modified :

2026-04-22T16:57:53.616Z

Source :

canonical
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35380 vulnerability.

Vendors Products
Uutils
  • Coreutils
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35380.

URL Resource
https://github.com/uutils/coreutils/pull/11399 cve-icon cve-icon
https://github.com/uutils/coreutils/releases/tag/0.8.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact