CVE-2026-35346

Exploit

EPSS 0.18%
Veröffentlicht 22.04.2026 16:07:51
Zuletzt bearbeitet 27.04.2026 12:28:38
Quelle security@ubuntu.com
CVE-Watchlists
Login
Unerledigt
Login

uutils coreutils comm Silent Data Corruption via Lossy UTF-8 Normalization

The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Uutils ≫ Coreutils SwPlatformrust Version < 0.6.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.072

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@ubuntu.com	3.3	1.8	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-176 Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

https://github.com/uutils/coreutils/releases/tag/0.6.0

Release Notes

https://github.com/uutils/coreutils/pull/10206

Patch

Issue Tracking

https://github.com/uutils/coreutils/issues/10192

Vendor Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-35346

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35346

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35346

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35346