CVE-2026-35347
Data Loss and Hang in uutils coreutils comm via Improper Input Handling
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests when the comm utility in uutils coreutils is used with non-regular file inputs such as pipes or process substitutions. Detection involves observing incorrect output or false sorting warnings when running comm on such inputs.
A practical way to detect the issue is to run comm with process substitutions or pipes and check for skipped data or erroneous warnings.
- Run a command like: comm <(cat file1) <(cat file2) and verify if the output is correct.
- Check for warnings or unexpected results indicating data loss or incorrect comparison.
Can you explain this vulnerability to me?
The vulnerability exists in the comm utility of uutils coreutils, where it incorrectly reads data from non-regular file inputs before performing comparison operations.
Specifically, the are_files_identical function opens and reads from both input paths to compare their content without first checking if the inputs are regular files.
If the input is a FIFO or a pipe, this pre-read operation drains the stream, causing silent data loss before the actual comparison happens.
Moreover, if the input is an infinite stream like /dev/zero, the utility may hang indefinitely while trying to pre-read.
How can this vulnerability impact me? :
This vulnerability can lead to silent data loss when using the comm utility on non-regular files such as FIFOs or pipes, as the data stream is consumed before comparison.
Additionally, the utility may hang indefinitely if it tries to read from infinite streams, causing potential denial of service or workflow interruptions.
The CVSS score indicates a low to medium severity with impacts on integrity and availability but no confidentiality loss.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using the comm utility with non-regular files such as pipes or process substitutions until the fix is applied.
Update the uutils coreutils package to a version that includes the fix merged on January 17, 2026, which skips redundant file identity checks for non-regular files.
If updating immediately is not possible, consider using alternative tools or methods that do not rely on comm for comparing data streams from pipes or FIFOs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the comm utility causes silent data loss when reading from non-regular files such as pipes or FIFOs, which could lead to incorrect or incomplete data processing.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, data loss or corruption issues can potentially impact compliance by compromising data integrity and accuracy.
Standards such as GDPR and HIPAA require accurate and reliable handling of data, so any silent data loss or incorrect processing could pose risks to meeting these regulatory requirements.