CVE-2026-35344 Overview
CVE-2026-35344 is an Improper Check for Exceptional Conditions vulnerability (CWE-252) affecting the dd utility in uutils coreutils. The vulnerability occurs when the utility suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While this behavior was intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems.
Critical Impact
This vulnerability can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.
Affected Products
- uutils coreutils (dd utility)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35344 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35344
Vulnerability Analysis
This vulnerability stems from improper error handling in the dd utility's file truncation logic. The dd command is commonly used for low-level copying and conversion of data, making it a critical tool in backup scripts, disk imaging operations, and data migration workflows.
The root issue is that the implementation unconditionally calls Result::ok() on truncation attempts, which converts any error result into None without propagating the failure to the caller. This design choice was made to emulate GNU coreutils behavior when writing to special files that don't support truncation (such as /dev/null). However, the implementation fails to distinguish between expected truncation failures on special files and unexpected failures on regular files or directories.
When a truncation operation fails due to a full disk or read-only file system, the error is silently swallowed. The utility continues execution and may report success to the calling script, even though the destination file was not properly written. This creates a dangerous scenario where backup or migration scripts believe data was successfully copied when the destination actually contains stale, incomplete, or corrupted data.
Root Cause
The vulnerability is classified as CWE-252: Unchecked Return Value. The dd utility fails to properly check the return value of file truncation operations. By unconditionally calling Result::ok() on the truncation result, the code discards error information that would indicate the operation failed. This pattern of ignoring return values is a common source of silent failures in system utilities where error propagation is critical for data integrity.
Attack Vector
This vulnerability requires local access to exploit. An attacker or automated process running dd operations on a system with constrained disk space or mounted read-only filesystems could trigger the condition. While the vulnerability is not directly exploitable for code execution, the integrity impact is significant in automated workflows. Consider a scenario where:
- A backup script uses dd to copy critical data
- The destination volume is full or becomes read-only during the operation
- The truncation failure is silently ignored
- The script reports success despite incomplete or corrupted data
- The original data is subsequently deleted or modified, believing the backup is valid
For additional technical details, see the GitHub Coreutils Issue.
Detection Methods for CVE-2026-35344
Indicators of Compromise
- Backup or migration scripts completing successfully but destination files contain stale or incomplete data
- Disk space warnings coinciding with dd operations that reported success
- File size mismatches between source and destination after dd operations
Detection Strategies
- Compare checksums (MD5, SHA256) of source and destination files after dd operations to verify data integrity
- Monitor system logs for disk space warnings or read-only filesystem errors during backup windows
- Implement post-copy verification in backup scripts that independently validate the destination file
Monitoring Recommendations
- Add automated verification steps to backup and migration workflows that use dd
- Monitor filesystem capacity thresholds and alert before disks reach capacity
- Review backup logs for any anomalies in operation timing or file sizes that could indicate silent failures
How to Mitigate CVE-2026-35344
Immediate Actions Required
- Audit existing backup and migration scripts that rely on dd from uutils coreutils
- Implement independent verification of dd operations using checksums or file comparisons
- Consider using GNU coreutils dd as an alternative until a patch is available
- Add explicit disk space checks before running dd operations in automated scripts
Patch Information
Monitor the GitHub Coreutils Issue for updates on official patches. As of the last update, users should verify successful data operations independently.
Workarounds
- Use sync command after dd operations and verify the destination file manually
- Implement wrapper scripts that compare source and destination checksums after dd completes
- Pre-check available disk space before running dd operations to avoid triggering the truncation failure
- Use alternative tools such as rsync with verification flags for critical data operations
# Verification workaround example
# After dd operation, verify data integrity
dd if=/source/file of=/destination/file bs=4M status=progress
sync
# Verify checksums match
SOURCE_HASH=$(sha256sum /source/file | awk '{print $1}')
DEST_HASH=$(sha256sum /destination/file | awk '{print $1}')
if [ "$SOURCE_HASH" != "$DEST_HASH" ]; then
echo "ERROR: Data verification failed - checksums do not match"
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
