CVE-2026-35346
Last modified
CVE-2026-35346 is a low-severity vulnerability rated 3.3/10 on the CVSS scale. The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). EPSS estimates a 0.18% chance of exploitation in the next 30 days.
Description
The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Uutils | Coreutils | < 0.6.0 |
References
- https://github.com/uutils/coreutils/issues/10192Exploit, Issue Tracking, Vendor Advisory
- https://github.com/uutils/coreutils/pull/10206Issue Tracking, Patch
- https://github.com/uutils/coreutils/issues/10192Exploit, Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-35346?
How severe is CVE-2026-35346?
How do I fix CVE-2026-35346?
Are you affected by CVE-2026-35346?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST