{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35347", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.087Z", "datePublished": "2026-04-22T16:07:54.366Z", "dateUpdated": "2026-04-22T18:11:31.441Z"}, "containers": {"cna": {"title": "uutils coreutils comm Silent Data Loss or Denial of Service via Improper Input Validation", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "versions": [{"status": "affected", "lessThan": "0.6.0", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130: Excessive Allocation"}]}], "descriptions": [{"lang": "en", "value": "The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero."}], "references": [{"url": "https://github.com/uutils/coreutils/pull/9545", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:07:54.366Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/pull/9545", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:11:26.303416Z", "id": "CVE-2026-35347", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:11:31.441Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35347", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:11:26.303416Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/pull/9545", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:11:08.791Z"}}], "cna": {"title": "uutils coreutils comm Silent Data Loss or Denial of Service via Improper Input Validation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130: Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "versions": [{"status": "affected", "version": "0", "lessThan": "0.6.0", "versionType": "semver"}], "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/uutils/coreutils/pull/9545", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:07:54.366Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35347", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:11:31.441Z", "dateReserved": "2026-04-02T12:58:56.087Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:07:54.366Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883", "versionEndExcluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero."}], "id": "CVE-2026-35347", "lastModified": "2026-04-27T12:28:23.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:36.903", "references": [{"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/uutils/coreutils/pull/9545"}, {"source": "security@ubuntu.com", "tags": ["Release Notes"], "url": "https://github.com/uutils/coreutils/releases/tag/0.6.0"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/uutils/coreutils/pull/9545"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "unix", "macos"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coreutils", "source": "cna", "vendor": "Uutils"}, "product": "coreutils", "vendor": "uutils"}], "analysis": {"en": {"generated_at": "2026-04-27T08:46:09.945500+00:00", "value": {"mitigation_remediation": ["Upgrade uutils coreutils to version 0.6.0 or later, which removes the pre\u2011read on non\u2011regular files", "Avoid piping or redirecting non\u2011regular streams into the comm command; use regular files instead for comparison", "If an immediate upgrade is not possible, redirect the comm input through a temporary regular file (e.g., use cat > tmpfile; comm tmpfile /path/to/otherfile) to prevent data drain"], "summary": {"action": "Upgrade", "impact": "Silent Data Loss and Denial of Service"}, "threat_synthesis": {"affected_systems": "Uutils coreutils, specifically the comm command. All releases before the fix present in the 0.6.0 release are vulnerable. Users should upgrade to version 0.6.0 or later to eliminate the pre\u2011read logic, or use an alternative that does not accept non\u2011regular file inputs for comparison.", "description_and_impact": "The comm utility in uutils coreutils performs a pre\u2011read on both input paths by calling are_files_identical without first verifying that the paths refer to regular files. If one of the inputs is a FIFO, pipe, or another non\u2011regular stream, this initial read drains the data that would otherwise be compared, causing silent data loss. Additionally, the utility may block indefinitely when it attempts to pre\u2011read from infinite streams such as /dev/zero, resulting in a denial of service. The flaw is a classic fail\u2011safety oversight (CWE\u201120).", "risk_and_exploitability": "The CVSS score of 4.4 indicates low severity. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no public exploitation. The vulnerability can be triggered only when a local user supplies a non\u2011regular file descriptor\u2014such as a FIFO or pipe\u2014to the comm command. Because the attacker must have local access or the ability to provide such streams, the overall risk remains moderate and is confined to accidental data loss or service interruption within the affected environment."}}}}, "created": "2026-04-27T18:45:11.483739+00:00", "updated": "2026-04-27T19:54:38.928818+00:00", "vendors": ["uutils", "uutils$PRODUCT$coreutils"]}