Executive Summary

The vulnerability exists in the comm utility of uutils coreutils, where it silently corrupts data by performing a lossy UTF-8 conversion on all output lines.

This happens because the implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD).

Unlike GNU comm, which processes raw bytes and preserves the original input, uutils coreutils' comm corrupts output when comparing binary files or files with non-UTF-8 legacy encodings.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to silent data corruption when using the comm utility to compare binary files or files encoded in non-UTF-8 legacy formats.

The corrupted output may cause incorrect comparison results, potentially leading to data integrity issues or erroneous processing based on the corrupted output.

Since the corruption is silent, users may not be aware that the data has been altered, which can affect workflows relying on accurate file comparisons.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes silent data corruption when the uutils comm utility processes non-UTF-8 input by replacing invalid byte sequences with the Unicode replacement character. This can lead to data integrity issues when handling arbitrary byte streams.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, data integrity is a critical aspect of such regulations. Corrupted data output could potentially violate requirements for data accuracy and integrity under these standards.

However, there is no direct information provided about the impact of this vulnerability on compliance with specific regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the behavior of the uutils comm utility when processing files containing non-UTF-8 byte sequences. Specifically, you can create test files with invalid UTF-8 bytes (such as 0xFE and 0xFF) and compare their output using uutils comm versus GNU comm.

If the output from uutils comm replaces invalid UTF-8 bytes with the Unicode replacement character (U+FFFD), it indicates the presence of the vulnerability, as this corrupts the original data silently.

Suggested commands to detect the issue:

• Create two test files with non-UTF-8 bytes, for example using a hex editor or echo with printf:
• Use GNU comm to compare the files and observe that the output preserves the original bytes.
• Use uutils comm to compare the same files and check if invalid UTF-8 bytes are replaced by U+FFFD (shown as � or byte sequence ef bf bd).
• Example commands:
• printf '\xFE\xFF\n' > file1
• printf '\xFE\xFF\n' > file2
• comm file1 file2 # GNU comm output preserves bytes
• uutils comm file1 file2 # vulnerable output replaces invalid bytes with U+FFFD

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update the uutils coreutils package to a version that includes the fix for CVE-2026-35346.

The fix involves changes to the comm utility to handle output without lossy UTF-8 conversion, aligning its behavior with GNU comm by writing raw bytes directly to stdout and improving error handling.

If an immediate update is not possible, avoid using the uutils comm utility to compare files containing non-UTF-8 or binary data, and instead use GNU comm or other tools that preserve raw byte output.

Useful 0 Not Useful 0