CVE-2026-35347
Received Received - Intake
Data Loss and Hang in uutils coreutils comm via Improper Input Handling

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: Canonical Ltd.

Description
The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35347
EUVD
EUVD-2026-24979
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils to 0.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability manifests when the comm utility in uutils coreutils is used with non-regular file inputs such as pipes or process substitutions. Detection involves observing incorrect output or false sorting warnings when running comm on such inputs.

A practical way to detect the issue is to run comm with process substitutions or pipes and check for skipped data or erroneous warnings.

  • Run a command like: comm <(cat file1) <(cat file2) and verify if the output is correct.
  • Check for warnings or unexpected results indicating data loss or incorrect comparison.
Executive Summary

The vulnerability exists in the comm utility of uutils coreutils, where it incorrectly reads data from non-regular file inputs before performing comparison operations.

Specifically, the are_files_identical function opens and reads from both input paths to compare their content without first checking if the inputs are regular files.

If the input is a FIFO or a pipe, this pre-read operation drains the stream, causing silent data loss before the actual comparison happens.

Moreover, if the input is an infinite stream like /dev/zero, the utility may hang indefinitely while trying to pre-read.

Impact Analysis

This vulnerability can lead to silent data loss when using the comm utility on non-regular files such as FIFOs or pipes, as the data stream is consumed before comparison.

Additionally, the utility may hang indefinitely if it tries to read from infinite streams, causing potential denial of service or workflow interruptions.

The CVSS score indicates a low to medium severity with impacts on integrity and availability but no confidentiality loss.

Mitigation Strategies

To mitigate this vulnerability, avoid using the comm utility with non-regular files such as pipes or process substitutions until the fix is applied.

Update the uutils coreutils package to a version that includes the fix merged on January 17, 2026, which skips redundant file identity checks for non-regular files.

If updating immediately is not possible, consider using alternative tools or methods that do not rely on comm for comparing data streams from pipes or FIFOs.

Compliance Impact

The vulnerability in the comm utility causes silent data loss when reading from non-regular files such as pipes or FIFOs, which could lead to incorrect or incomplete data processing.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, data loss or corruption issues can potentially impact compliance by compromising data integrity and accuracy.

Standards such as GDPR and HIPAA require accurate and reliable handling of data, so any silent data loss or incorrect processing could pose risks to meeting these regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35347. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart