Low severity3.3NVD Advisory· Published Apr 22, 2026· Updated Apr 27, 2026
CVE-2026-35346
CVE-2026-35346
Description
The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | < 0.6.0 | 0.6.0 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/uutils/coreutils/pull/10206nvdIssue TrackingPatchWEB
- github.com/uutils/coreutils/issues/10192nvdExploitIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-hwhf-8p2f-45wrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35346ghsaADVISORY
- github.com/uutils/coreutils/commit/b9372e509ea9b278fe13763237067a261bb8c946ghsaWEB
- github.com/uutils/coreutils/releases/tag/0.6.0nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.