Description

The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.

INFO

Published Date :

2026-04-22T16:07:54.366Z

Last Modified :

2026-04-22T18:11:31.441Z

Source :

canonical
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35347 vulnerability.

Vendors Products
Uutils
  • Coreutils
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35347.

URL Resource
https://github.com/uutils/coreutils/pull/9545 cve-icon cve-icon cve-icon
https://github.com/uutils/coreutils/releases/tag/0.6.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact