Data Corruption Vulnerability in uutils coreutils by uutils
CVE-2026-35346

3.3LOW

Key Information:

Vendor

Uutils

Status
Coreutils
Vendor
CVE Published:
22 April 2026

What is CVE-2026-35346?

The comm utility in uutils coreutils has a flaw where it silently corrupts data by using lossy UTF-8 conversion on all output lines. It employs String::from_utf8_lossy(), replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from the expected behavior seen in GNU comm which correctly processes raw bytes. This can lead to data integrity issues when comparing binary files or files containing non-UTF-8 legacy encodings, ultimately resulting in incorrect or misleading output.

Affected Version(s)

coreutils Linux 0 < 0.6.0

References

https://github.com/uutils/coreutils/pull/10206
patch
https://github.com/uutils/coreutils/issues/10192
issue-tracking
https://github.com/uutils/coreutils/releases/tag/0.6.0
vendor-advisory

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zellic
.