Skip to main content

uutils coreutils EUVDEUVD-2026-24979

| CVE-2026-35347 MEDIUM
Improper Input Validation (CWE-20)
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24979
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:07 nvd
MEDIUM 4.4

DescriptionCVE.org

The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.

AnalysisAI

The comm utility in uutils coreutils drains FIFO and pipe streams before performing file comparison due to premature data consumption in the are_files_identical function, causing silent data loss and potential indefinite hangs on infinite streams. Local authenticated users can trigger this vulnerability to corrupt or lose data in piped workflows, affecting the integrity of command-line data processing chains.

Technical ContextAI

The comm utility is a standard Unix text comparison tool. The vulnerability exists in the are_files_identical function, which reads from both input paths to compare file content before verifying whether those paths refer to regular files (CWE-20: Improper Input Validation). When given FIFO (named pipe) or pipe file descriptors as input, this premature read operation fully drains the stream, discarding data that the actual comparison logic never sees. This is problematic because FIFOs and pipes are sequential, non-seekable streams; once read, the data is consumed and unavailable. Additionally, attempting this operation on infinite streams like /dev/zero causes indefinite blocking, as the pre-read has no termination condition. The affected CPE cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:* indicates all versions prior to the fix are vulnerable.

RemediationAI

Upgrade uutils coreutils to version 0.6.0 or later, which includes the fix merged in pull request 9545 (https://github.com/uutils/coreutils/pull/9545). The patch adds file-type validation to the are_files_identical function to verify that inputs are regular files before performing pre-read operations, preventing data drainage from FIFOs and pipes. If immediate upgrade is not feasible, avoid piping data directly into comm; instead, use temporary regular files or process substitution with explicit regular-file storage as an intermediate step. This workaround has minimal performance overhead for small to medium datasets but may increase disk I/O and storage usage for large streams.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-24979 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy