CVE-2026-35343 LOW

CVE-2026-35343: uutils coreutils cut Inconsistent Output Suppression with Newline Delimiters

Vendor Uutils
Product coreutils
Weakness CWE-670
Published April 22, 2026
Last update April 22, 2026

CVSS base score

3.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated