CVE-2026-35346

#!/bin/bash # PoC for CVE-2026-35346: uutils coreutils comm data corruption # Create two files with identical non-UTF-8 binary sequences echo -n "Valid Text\n\xff\xfe" > file1.txt echo -n "Valid Text\n\xff\xfe" > file2.txt echo "[+] Generated test files with binary content." # Run uutils comm (assuming 'comm' is the uutils version) # In a real scenario, ensure the path points to the vulnerable binary echo "[+] Running uutils comm..." comm file1.txt file2.txt > output_corrupted.txt echo "[+] Output hexdump (should show replacement chars if vulnerable):" xxd output_corrupted.txt # Compare with GNU comm behavior (which preserves bytes) echo "[+] For comparison, GNU comm preserves the raw bytes."

{"cve": {"id": "CVE-2026-35346", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:36.760", "lastModified": "2026-04-27T12:28:38.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-176"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.6.0", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10192", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/uutils/coreutils/pull/10206", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/uutils/coreutils/issues/10192", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}