CVE-2026-35380: CWE-20: Improper Input Validation in Uutils coreutils
A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.
AI Analysis
Technical Summary
This vulnerability arises from a logic error in the cut utility of uutils coreutils where the literal two-byte string of two single quotes ('') is misinterpreted as an empty delimiter. The implementation maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. As a result, automated scripts and data pipelines that rely on these delimiters may experience silent data corruption or logic errors due to unintended splitting or joining on NUL bytes rather than the expected literal characters. The CVSS 3.1 base score is 5.5 (medium severity), reflecting local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. There is no known exploit in the wild and no vendor advisory or patch currently available.
Potential Impact
The vulnerability can cause silent data corruption or logic errors in automated scripts and data pipelines that use the cut utility with the affected delimiter options. Specifically, data may be incorrectly split or joined on NUL bytes instead of the intended literal two single quote characters, potentially leading to incorrect processing or data integrity issues. There is no impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using the two single quote string ('') as a delimiter with the cut utility in uutils coreutils or validate outputs carefully to detect potential data corruption. Monitor vendor channels for updates or patches addressing this issue.
CVE-2026-35380: CWE-20: Improper Input Validation in Uutils coreutils
Description
A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from a logic error in the cut utility of uutils coreutils where the literal two-byte string of two single quotes ('') is misinterpreted as an empty delimiter. The implementation maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. As a result, automated scripts and data pipelines that rely on these delimiters may experience silent data corruption or logic errors due to unintended splitting or joining on NUL bytes rather than the expected literal characters. The CVSS 3.1 base score is 5.5 (medium severity), reflecting local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. There is no known exploit in the wild and no vendor advisory or patch currently available.
Potential Impact
The vulnerability can cause silent data corruption or logic errors in automated scripts and data pipelines that use the cut utility with the affected delimiter options. Specifically, data may be incorrectly split or joined on NUL bytes instead of the intended literal two single quote characters, potentially leading to incorrect processing or data integrity issues. There is no impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using the two single quote string ('') as a delimiter with the cut utility in uutils coreutils or validate outputs carefully to detect potential data corruption. Monitor vendor channels for updates or patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.089Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d719fe3cd2cdd02531
Added to database: 4/22/2026, 4:31:19 PM
Last enriched: 4/22/2026, 4:46:49 PM
Last updated: 4/22/2026, 5:32:57 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.