Skip to main content

uutils coreutils EUVDEUVD-2026-25036

| CVE-2026-35380 MEDIUM
Improper Input Validation (CWE-20)
2026-04-22 canonical GHSA-m2pg-c7m6-77pj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:06 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25036
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:09 nvd
MEDIUM 5.5

DescriptionCVE.org

A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.

AnalysisAI

Logic error in uutils coreutils cut utility causes incorrect interpretation of the literal two-byte string '' (two single quotes) as an empty delimiter, leading to silent data corruption when processing strings with these characters. The vulnerability affects uutils coreutils versions prior to 0.8.0 and impacts automated scripts and data pipelines that rely on precise delimiter handling, as the utility may unintentionally split or join data on NUL bytes rather than intended literal characters.

Technical ContextAI

The cut utility in uutils coreutils implements field-based text processing using delimiter options (-d for input delimiter, --output-delimiter for output delimiter). The vulnerability stems from a logic error (CWE-20: Improper Input Validation) in the delimiter parsing logic where the implementation incorrectly maps the literal two-byte string consisting of two single quote characters ('') to the NUL character (ASCII 0x00) instead of preserving it as a literal delimiter string. This type of error typically occurs in string parsing or character mapping routines where escape sequences or special character handling is not properly validated. The bug affects both the input and output delimiter processing, potentially causing data to be split or joined on NUL bytes when scripts or pipelines intended to use '' as a literal delimiter.

RemediationAI

Upgrade uutils coreutils to version 0.8.0 or later, which includes the fix for the delimiter parsing logic error. The patched version is available from the official GitHub repository (https://github.com/uutils/coreutils/releases/tag/0.8.0). For systems unable to immediately upgrade, audit existing scripts and data pipelines to identify any that intentionally use '' (two single quotes) as a delimiter argument to cut and replace with alternative delimiters or workarounds - such as using a different delimiter character or processing the data through a different utility like awk or sed. Document any scripts affected by this logic error to ensure they are retested after patching to verify data integrity has been restored. No compensating controls are practical for preventing this logic error in vulnerable versions; patching is the only reliable remediation.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-25036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy