CVE-2026-35347 Overview
The comm utility in uutils coreutils contains an improper input validation vulnerability that causes data loss when processing non-regular file inputs. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. When an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.
Critical Impact
Silent data loss occurs when using FIFOs or pipes as input, and potential denial of service through indefinite hangs when processing infinite streams.
Affected Products
- uutils coreutils versions prior to 0.6.0
- Systems using the comm utility with non-regular file inputs (FIFOs, pipes)
- Environments relying on stream-based file comparisons
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35347 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35347
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the comm utility's file comparison logic. The are_files_identical function was designed to optimize comparisons by pre-reading file contents, but it fails to account for the behavior of special file types. When processing regular files, this approach works as intended. However, when the input is a FIFO (named pipe) or an unnamed pipe, reading from the file descriptor consumes the data from the stream buffer. Since FIFOs and pipes are sequential and non-seekable, this consumed data cannot be retrieved for the subsequent comparison operation.
The vulnerability presents two distinct failure modes: for finite streams like user-created FIFOs, the data is silently consumed and lost; for infinite streams like /dev/zero or /dev/urandom, the pre-read operation never completes, causing the utility to hang indefinitely.
Root Cause
The root cause is the absence of file type validation before performing pre-read operations. The are_files_identical function directly opens and reads from input paths without checking whether they are regular files using system calls like fstat() or stat(). This violates the principle that stream-based inputs should only be read once and in sequence. The function should verify that inputs are regular, seekable files before attempting any content comparison that involves pre-reading.
Attack Vector
The attack vector requires local access to the system. An attacker or malicious script could craft scenarios where the comm utility processes FIFO inputs, causing data integrity issues in automated pipelines or shell scripts. In production environments where comm is used for data validation or synchronization tasks, this could result in incorrect comparison results due to the consumed data. The denial of service vector is exploitable by passing device files like /dev/zero as input, which would cause the process to hang indefinitely, potentially blocking dependent processes or consuming system resources.
The vulnerability can be exploited when the comm utility receives non-regular file inputs such as FIFOs created with mkfifo or piped input through process substitution. The pre-read operation in are_files_identical consumes data from these streams before the actual line-by-line comparison begins, resulting in either silent data loss or indefinite blocking. For detailed technical analysis, refer to the GitHub Pull Request #9545.
Detection Methods for CVE-2026-35347
Indicators of Compromise
- Unexpected empty output or missing lines when using comm with FIFO or pipe inputs
- Process hangs when comm is invoked with device files like /dev/zero or /dev/urandom
- Shell scripts or automated pipelines producing inconsistent comparison results
- High CPU or blocking processes associated with comm utility invocations
Detection Strategies
- Monitor for hung comm processes that remain in an uninterruptible state for extended periods
- Review shell scripts and automation workflows that use comm with process substitution or named pipes
- Implement file type validation in wrapper scripts before invoking comm with untrusted inputs
- Audit system logs for abnormal process behavior related to coreutils utilities
Monitoring Recommendations
- Set process timeout limits for comm invocations in production environments
- Implement alerts for processes consuming resources without completing
- Review and test data processing pipelines that rely on comm for file comparison operations
- Monitor for data integrity issues in systems using comm for synchronization tasks
How to Mitigate CVE-2026-35347
Immediate Actions Required
- Upgrade uutils coreutils to version 0.6.0 or later which contains the fix
- Review and audit scripts that use comm with non-regular file inputs
- Implement file type checks before passing inputs to comm in critical workflows
- Consider using alternative comparison methods for FIFO or pipe-based data
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix ensures proper file type validation is performed before any pre-read operations. Users should upgrade to this version or later to remediate the vulnerability. The patch details are available in the GitHub Pull Request #9545, and the fixed release can be obtained from the GitHub Release 0.6.0.
Workarounds
- Validate input file types before invoking comm using test -f or stat commands
- Avoid using comm with FIFOs, pipes, or device files until the patched version is deployed
- Implement timeout wrappers around comm invocations to prevent indefinite hangs
- Use temporary regular files instead of pipes when processing stream data with comm
# Workaround: Validate file types before using comm
# Check if inputs are regular files before comparison
if [ -f "$file1" ] && [ -f "$file2" ]; then
comm "$file1" "$file2"
else
echo "Error: comm requires regular files, not FIFOs or pipes"
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
