Threat Advisory

uutils coreutils Vulnerability Causes Data Loss

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-35347 with a CVSS score of 4.4 is a vulnerability affecting the rust/uu_comm package in versions prior to 0.6.0. This issue arises because the utility incorrectly consumes data from non-regular file inputs, such as FIFOs or pipes, before executing comparison operations. Specifically, the `are_files_identical` function attempts to read from input paths to verify content without first checking if these paths refer to regular files. An attacker with local access and low privileges can exploit this flaw by supplying a FIFO or pipe as an input to the comm utility. Successful exploitation causes the pre-read operation to drain the stream, resulting in silent data loss before the comparison logic runs. This can lead to incorrect data processing outcomes or system instability. Furthermore, if the utility attempts to pre-read from infinite streams like `/dev/zero`, it may hang indefinitely, causing denial of service conditions that disrupt critical workflows. Exploitation requires the target system to use the vulnerable version of the utility and the attacker must be able to trigger the process against a pipe or FIFO input.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-35347 with a CVSS score of 4.4 is a vulnerability affecting the rust/uu_comm package in versions prior to 0.6.0. This issue arises because the utility incorrectly consumes data from non-regular file inputs, such as FIFOs or pipes, before executing comparison operations. Specifically, the `are_files_identical` function attempts to read from input paths to verify content without first checking if these paths refer to regular files. An attacker with local access and low privileges can exploit this flaw by supplying a FIFO or pipe as an input to the comm utility. Successful exploitation causes the pre-read operation to drain the stream, resulting in silent data loss before the comparison logic runs. This can lead to incorrect data processing outcomes or system instability. Furthermore, if the utility attempts to pre-read from infinite streams like `/dev/zero`, it may hang indefinitely, causing denial of service conditions that disrupt critical workflows. Exploitation requires the target system to use the vulnerable version of the utility and the attacker must be able to trigger the process against a pipe or FIFO input.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update rust/uu_comm to version 0.6.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-3wfc-mgpm-9rq6

[/emaillocker]
crossmenu