{"uuid": "89925e9b-ec22-4174-a707-3e7fafe25186", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35381", "type": "seen", "source": "https://gist.github.com/alon710/b10b20af35b7bf752b36e152bb72f112", "content": "# CVE-2026-35381: CVE-2026-35381: Input Sanitization and Logic Bypass in uutils coreutils cut Utility\n\n&gt; **CVSS Score:** 3.3\n&gt; **Published:** 2026-07-06\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35381\n\n## Summary\nA critical argument order mismatch in the Rust implementation of GNU coreutils (uutils/coreutils) causes the cut utility to ignore the only-delimited (-s) flag when zero-terminated (-z) and empty-delimiter (-d '') options are combined. This logic bypass allows unvalidated inputs to propagate downstream, presenting data integrity risks.\n\n## TL;DR\nAn argument mismatch in uutils cut causes the -s flag to be ignored when paired with -z and -d '', allowing malformed inputs to bypass stream sanitization filters.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-684\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1 Score**: 3.3 (Low)\n- **EPSS Score**: 0.00149 (0.15%)\n- **Impact**: Data Integrity Bypass\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- uutils/coreutils cut utility version &lt; 0.8.0\n- Embedded environments or container images running rust-based coreutils implementations\n- **uutils/coreutils**: &lt; 0.8.0 (Fixed in: `0.8.0`)\n\n## Mitigation\n\n- Upgrade to uutils/coreutils 0.8.0 or newer.\n- Avoid using combined -z, -d '', and -s configurations in legacy deployments.\n- Implement pre-validation steps using grep -z before data processing.\n\n**Remediation Steps:**\n1. Identify all installations of uutils/coreutils across application servers and container base images.\n2. Update the packages via the respective system package manager (e.g., apt-get install --only-upgrade uutils-coreutils) or cargo install coreutils --locked --force.\n3. Audit automated shell pipelines for pattern sequences matching 'cut -z -d \"\" -s' or 'cut -z -d \\'\\' -s'.\n4. Implement input sanitization fallbacks where immediate software updates are restricted by change controls.\n\n## References\n\n- [CVE-2026-35381 Record](https://www.cve.org/CVERecord?id=CVE-2026-35381)\n- [Official Fix Commit](https://github.com/uutils/coreutils/commit/483f13e91830c468262aa1e010e753d6ae99c898)\n- [Fix Pull Request #11394](https://github.com/uutils/coreutils/pull/11394)\n- [uutils/coreutils v0.8.0 Release Notes](https://github.com/uutils/coreutils/releases/tag/0.8.0)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35381) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T22:41:49.132185Z"}