Skip to content

comm: lossy UTF-8 conversion silently corrupts non-UTF-8 output

Moderate
sylvestre published GHSA-6gcw-w7cp-94g9 May 30, 2026

Package

cargo uu_comm (Rust)

Affected versions

< 0.6.0

Patched versions

0.6.0

Description

The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings.


Zellic finding 3.34. Reported in the Zellic uutils coreutils Program Security Assessment (for Canonical, Jan 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242.

Severity

Moderate

CVE ID

CVE-2026-35346

Weaknesses

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Learn more on MITRE.