CVE-2026-35347: CWE-20: Improper Input Validation in Uutils coreutils
The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.
AI Analysis
Technical Summary
The comm utility in uutils coreutils improperly handles input validation by reading data from both input paths before comparison without checking if the inputs are regular files. This causes the are_files_identical function to consume data from non-regular files such as FIFOs or pipes, resulting in silent data loss. Additionally, the utility may hang indefinitely when reading from infinite streams like /dev/zero due to this pre-read behavior. This vulnerability is categorized under CWE-20 (Improper Input Validation) and has a CVSS 3.1 base score of 4.4, indicating medium severity. No patch or official remediation has been documented as of the published date.
Potential Impact
The vulnerability can cause silent data loss when comm is used with FIFO or pipe inputs because the utility drains the stream before comparison. It may also cause the utility to hang indefinitely when processing infinite streams such as /dev/zero. There is no direct confidentiality impact, but integrity and availability are affected due to data loss and potential hangs.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid using the comm utility on non-regular files such as FIFOs, pipes, or infinite streams to prevent data loss or hangs.
CVE-2026-35347: CWE-20: Improper Input Validation in Uutils coreutils
Description
The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The comm utility in uutils coreutils improperly handles input validation by reading data from both input paths before comparison without checking if the inputs are regular files. This causes the are_files_identical function to consume data from non-regular files such as FIFOs or pipes, resulting in silent data loss. Additionally, the utility may hang indefinitely when reading from infinite streams like /dev/zero due to this pre-read behavior. This vulnerability is categorized under CWE-20 (Improper Input Validation) and has a CVSS 3.1 base score of 4.4, indicating medium severity. No patch or official remediation has been documented as of the published date.
Potential Impact
The vulnerability can cause silent data loss when comm is used with FIFO or pipe inputs because the utility drains the stream before comparison. It may also cause the utility to hang indefinitely when processing infinite streams such as /dev/zero. There is no direct confidentiality impact, but integrity and availability are affected due to data loss and potential hangs.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid using the comm utility on non-regular files such as FIFOs, pipes, or infinite streams to prevent data loss or hangs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.087Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7ce19fe3cd2cdd00c1f
Added to database: 4/22/2026, 4:31:10 PM
Last enriched: 4/22/2026, 5:02:40 PM
Last updated: 4/23/2026, 12:51:00 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.