2460801 – (CVE-2026-35347) CVE-2026-35347 rust-coreutils: comm: silent data loss or denial of service via improper input validation

Bug 2460801 (CVE-2026-35347) - CVE-2026-35347 rust-coreutils: comm: silent data loss or denial of service via improper input validation

Summary: CVE-2026-35347 rust-coreutils: comm: silent data loss or denial of service vi...

Keywords:
Status:	NEW
Alias:	CVE-2026-35347
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2461182 2461183
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 17:03 UTC by OSIDB Bzimport
Modified:	2026-04-24 19:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 17:03:29 UTC

The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.

Note You need to log in before you can comment on or make changes to this bug.