Skip to main content

uutils coreutils CVE-2026-35343

| EUVDEUVD-2026-24973 LOW
Always-Incorrect Control Flow Implementation (CWE-670)
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24973
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:07 nvd
LOW 3.3

DescriptionCVE.org

The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.

AnalysisAI

The cut utility in uutils coreutils fails to suppress non-delimited lines when the -s (only-delimited) option is used with a newline character as the delimiter, causing unfiltered data to be passed to downstream processes. Affected versions prior to 0.8.0 exhibit this logic error, which has low real-world impact due to local-only attack vector and partial technical scope, though it violates strict data filtering contracts that scripts may depend upon.

Technical ContextAI

The cut utility processes text input and extracts or removes specific fields based on delimiter and column specifications. The -s flag (only-delimited) instructs cut to suppress lines that do not contain the specified delimiter character. In uutils coreutils, the cut_fields_newline_char_delim function processes input when a newline is the chosen delimiter but fails to check the only_delimited flag before printing lines. This is a logic control-flow error (CWE-670: Improper Check or Handling of Exceptional Conditions) where a conditional check is omitted entirely in one code path. The newline delimiter case appears to have been implemented separately and the filtering logic was not propagated to this path, resulting in incorrect behavior diverging from GNU coreutils standard cut.

RemediationAI

Upgrade uutils coreutils to version 0.8.0 or later, which includes the patch committed in pull request #11143. For users unable to patch immediately, configure input validation upstream of the cut command to reject non-delimited records before they reach cut, or use GNU coreutils as a drop-in replacement if uutils coreutils is optional in your toolchain. Note that this workaround adds latency and shifts validation logic but does not affect the availability of cut itself. Verify the upgrade by testing cut with the -s flag and newline delimiter against a mixed input file containing both delimited and non-delimited lines; patched versions should suppress non-delimited output.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35343 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy