CVE-2026-35343 PUBLISHED

uutils coreutils cut Inconsistent Output Suppression with Newline Delimiters

Assigner: canonical
Reserved: 02.04.2026 Published: 22.04.2026 Updated: 22.04.2026

The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 3.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Uutils
Product	coreutils
Versions	Default: unaffected affected from 0 to 0.8.0 (excl.)

Credits

Zellic finder

References

Problem Types

CWE-670: Always-Incorrect Control Flow Implementation CWE

Impacts

CAPEC-153: Input Data Manipulation