CVE-2026-35346

EUVD-2026-24978

22.04.2026, 17:16

The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.3 LOW	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-176 - Improper Handling of Unicode Encoding
The software does not properly handle when an input contains Unicode encoding.

References

https://github.com/uutils/coreutils/issues/10192

https://github.com/uutils/coreutils/pull/10206

https://github.com/uutils/coreutils/releases/tag/0.6.0

https://github.com/uutils/coreutils/issues/10192