Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data.
AnalysisAI
Logic error in uutils coreutils cut utility causes incorrect behavior when combining the -s (only-delimited), -z (null-terminated), and -d '' (empty delimiter) flags, resulting in unfiltered records being emitted instead of suppressed. This breaks data integrity for automated pipelines relying on cut -s to exclude records without delimiters, affecting local users with limited privileges. The vulnerability has low exploitability (CVSS 3.3, SSVC indicates no exploitation status and non-automatable attack), but poses information disclosure and data corruption risks in security-sensitive data processing workflows.
Technical ContextAI
The uutils coreutils project is a cross-platform reimplementation of GNU coreutils utilities in Rust. The cut utility parses fixed-width fields or delimited records from text input. The vulnerability exists in the record-filtering logic when the -s flag (suppress lines without delimiters) is combined with -z (null-terminated records instead of newlines) and -d '' (empty delimiter). The implementation incorrectly routes this specific flag combination through a specialized newline-delimiter code path that bypasses the suppression check defined by CWE-684 (Uncontrolled Recursion / Incorrect Control Flow). When both -z and -d '' are specified, the code fails to evaluate the record-suppression status, causing the utility to emit entire records including NUL terminators even when they lack delimiters. This diverges from GNU coreutils behavior, which correctly suppresses such records when -s is set.
RemediationAI
Upgrade uutils coreutils to version 0.8.0 or later, which includes the patch merged in PR https://github.com/uutils/coreutils/pull/11394. For systems unable to upgrade immediately, audit any data processing pipelines using cut with the -s flag combined with -z and -d '' options; if found, either remove the -z or -d '' flags (use the default newline delimiter and colon delimiter respectively), or replace with GNU coreutils cut, which does not have this bug. Note that switching back to GNU coreutils may have performance or compatibility implications depending on the deployment environment. If the pipeline cannot be modified, add a secondary validation step downstream to detect and filter records that should have been suppressed, at the cost of additional processing overhead.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25038
GHSA-532v-xp3f-837c