Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings.
AnalysisAI
The comm utility in uutils coreutils silently corrupts binary and non-UTF-8 encoded file output by replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from GNU comm's byte-preserving behavior. This affects any user comparing files with legacy encodings or binary content, resulting in data integrity loss. A proof-of-concept demonstrating the lossy conversion exists, and a patch is available.
Technical ContextAI
The comm utility is a standard Unix tool for comparing two sorted files line-by-line. The vulnerability stems from the misuse of Rust's String::from_utf8_lossy() function, which assumes all input is UTF-8 or gracefully handles non-UTF-8 sequences by replacing them with U+FFFD. This approach is unsafe for utilities that operate on arbitrary binary data or legacy character encodings (e.g., Latin-1, EUC-JP). GNU comm and other POSIX implementations process raw bytes without validation, preserving data fidelity. The root cause is classified under CWE-176 (Improper Handling of Unicode Encoding), reflecting the mishandling of character encoding assumptions in a low-level file comparison tool.
RemediationAI
Upgrade uutils coreutils to version 0.6.0 or later, which contains the fix available via GitHub pull request #10206. Users unable to upgrade immediately should avoid using uutils comm for binary file comparison or files with non-UTF-8 encodings; instead, use GNU comm or a byte-preserving alternative. If replacement of uutils is not feasible in the short term, restrict the comm utility to UTF-8 text files only via file type validation before processing. Document within operations that uutils coreutils versions before 0.6.0 may corrupt non-UTF-8 data, and audit any historical comparison results involving binary or legacy-encoded files for data integrity.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-176 – Improper Handling of Unicode Encoding
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24978
GHSA-6gcw-w7cp-94g9