01 · The Real Story
This is a bad barcode scanner, not a broken door lock
CVE-2026-35346 affects the comm utility in uutils coreutils before 0.6.0. Instead of writing raw bytes back out like GNU comm, vulnerable builds run output through a lossy UTF-8 conversion path, replacing invalid bytes with U+FFFD and silently corrupting results when input contains binary data or legacy non-UTF-8 text.
The vendor's LOW 3.3 is already generous from an enterprise patch-priority perspective. In the real world this requires the attacker to already have local code execution or a way to steer a victim's local batch job into using uutils comm on specially chosen non-UTF-8 data, and the blast radius is usually confined to the one script or pipeline consuming that output.
"This is a correctness bug with CVE paperwork, not a fleet-priority security emergency."
02 · The Attack Path
3 steps from start to impact.
STEP 01
Get code to run on the box
There is no remote entry point here. An attacker needs a local shell, a scheduled task foothold, a CI runner, or some other way to execute commands on a host that actually uses
uutils instead of GNU coreutils. The only practical 'weaponized tool' is the standard comm binary itself, as shown in the public reproduction issue.Conditions required:
- Attacker already has local execution or can influence a local automation job
- Target host uses
uutils coreutils, not GNU coreutils - Affected version is earlier than
0.6.0
Where this breaks in practice:
- This is post-initial-access by definition
- Many Linux fleets still run GNU coreutils and are not affected
- Even on affected distros, not every host invokes
commin production workflows
Detection/coverage: Asset scanners can fingerprint
rust-coreutils/uutils package versions, but generic vuln scanners will overstate risk because they cannot tell whether any real workflow depends on comm with non-UTF-8 data.STEP 02
Feed non-UTF-8 input into comm
The public proof uses byte sequences like
0xfe and 0xff to force the lossy conversion path. On vulnerable builds, String::from_utf8_lossy() replaces those bytes before output, so the utility no longer preserves byte-exact data the way GNU comm does.Conditions required:
- Input files or streams contain invalid UTF-8 bytes or legacy encodings
- A local user, script, or pipeline runs
common those files
Where this breaks in practice:
- Most business text processing is UTF-8 clean and will never hit the bug
- The flaw is irrelevant for workflows that never compare binary or legacy-encoded content
Detection/coverage: Repro coverage is excellent because the GitHub issue includes a minimal test case; runtime detection is poor because corruption is silent unless you validate output bytes.
STEP 03
Corrupt downstream logic
Impact only materializes if another process trusts
comm output for decisions, reconciliation, filtering, or audit comparison. That can produce false differences or false matches in one pipeline, but it does not by itself grant privilege escalation, code execution, or lateral movement.Conditions required:
- Downstream logic treats
commoutput as authoritative - No independent byte-level validation catches the mismatch
Where this breaks in practice:
- Many pipelines fail visibly or get caught in testing when output changes
- Blast radius is usually limited to one job, one dataset, or one tenant context
Detection/coverage: This is mostly a QA/integrity problem, not a signature-driven detection problem. Unit tests comparing GNU vs uutils behavior catch it better than EDR or NDR.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No evidence of active exploitation found. The user-provided intel says KEV-listed: No, and the public record shows a bug report and patch, not campaign activity. |
|---|---|
| Proof-of-concept availability | Public PoC exists via the upstream issue reproduction in GitHub issue #10192; CISA ADP also tags exploitation state as poc in the CVE record surfaced by OpenCVE. |
| EPSS | User-provided EPSS is 0.00014. That is effectively floor-level exploit likelihood and matches the fact pattern: local-only, narrow preconditions, no automation value. |
| KEV status | Not in CISA KEV as represented in the user-provided intel; no public signs this crossed the threshold from bug to active threat. |
| CVSS vector reality check | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N is directionally fair. The important part is AV:L + PR:L: this starts after an attacker is already on the box or controlling a local job. |
| Affected versions | The CNA record says uutils coreutils < 0.6.0 is affected, across Linux/Unix/macOS builds of the project as packaged or built from source. |
| Fixed versions and distro notes | Upstream fix landed in 0.6.0. Ubuntu marks 24.04 LTS noble and 25.10 questing as vulnerable for rust-coreutils, while 26.04 LTS resolute is listed Not affected on the Ubuntu CVE page. |
| Scanning and exposure data | This is not an internet-exposed service class. Shodan/Censys-style external census is not meaningful here because comm is a local command-line utility, so exposure is governed by package deployment and workflow usage, not open ports. |
| Disclosure date | Published 2026-04-22 in the CVE/NVD ecosystem; Ubuntu lists publication date 22 April 2026. |
| Reporter / researcher | The CVE credits Zellic as finder in the CNA record. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to IGNORE (1.2/10)
The decisive factor is attacker position: this bug begins after local execution or local job influence already exists, which makes it post-compromise and narrowly reachable. Its effect is silent data corruption in specific byte-sensitive workflows, not a boundary break that expands attacker access across the estate.
HIGH Exploitability assessment: local-only, post-initial-access, narrow workflow dependence
MEDIUM Operational impact assessment: severity rises only in rare byte-sensitive automation pipelines
Why this verdict
- Downward pressure: requires local execution or local workflow control —
AV:Lis not a footnote here; it means the attacker is already on the host or already steering the job. - Downward pressure: affected population is narrow — only fleets that actually deployed
uutils coreutilsand specifically invokecommare in scope; large GNU-based Linux estates are unaffected. - Downward pressure: trigger condition is specialized — you need non-UTF-8 or binary-like input to hit the corruption path, which excludes the majority of everyday UTF-8 text workflows.
- Downward pressure: blast radius is small — impact is usually confined to one script, one reconciliation job, or one data-processing path rather than enabling privilege escalation or remote compromise.
- No amplifier from threat intel — no KEV listing, no active exploitation evidence, and an effectively negligible EPSS score.
Why not higher?
There is no remote reachability, no privilege gain, and no direct path to code execution. Even if the integrity consequence is real, every prerequisite narrows the exposed population: local foothold, affected package choice, use of comm, and non-UTF-8 inputs.
Why not lower?
I am not calling this 'not a bug' because the corruption is silent and byte-exactness matters in some pipelines. If your environment uses uutils in CI, build, migration, or reconciliation jobs that compare binary or legacy-encoded data, this can create real integrity mistakes even though it is still a poor security-priority candidate.
05 · Compensating Control
What to do — in priority order.
- Document the exception — Because noisgate rates this IGNORE, there is no action required under the SLA; document that the issue is local-only, post-compromise, and only relevant to byte-sensitive
commworkflows. Use this rationale to keep it out of emergency patch queues. - Pin GNU coreutils for byte-sensitive jobs — If you do have scripts comparing binary blobs or legacy-encoded text, explicitly invoke GNU
commor route those jobs to hosts withoutuutils. Since there is no noisgate mitigation SLA for IGNORE, do this through normal change management where testing shows business impact. - Add regression tests for raw-byte fidelity — In CI or packaging validation, compare
commoutput against known byte sequences and fail builds if invalid UTF-8 bytes are rewritten. This is the right long-term guardrail for distributions experimenting withuutilssubstitutions.
What doesn't work
- EDR does not help much here; there is no exploit chain to intercept, just a legitimate utility producing wrong bytes.
- WAF, NGFW, and email security controls are irrelevant because there is no network-facing attack surface in the first place.
- MFA does nothing once the premise already assumes local code execution or a controlled batch job.
06 · Verification
Crowdsourced verification payload.
Run this on the target Linux/macOS host you want to assess, not from an auditor workstation. Invoke it as bash check-cve-2026-35346.sh /usr/bin/comm; if you omit the argument it defaults to comm in PATH. No root is required, but the script needs execute permission on the binary and access to --version output.
#!/usr/bin/env bash
# check-cve-2026-35346.sh
# Detects whether the local 'comm' binary appears affected by CVE-2026-35346.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -u
TARGET="${1:-comm}"
TMPDIR="$(mktemp -d 2>/dev/null || mktemp -d -t cve35346)"
A="$TMPDIR/a.bin"
B="$TMPDIR/b.bin"
OUT="$TMPDIR/out.bin"
ERR="$TMPDIR/err.txt"
cleanup() {
rm -rf "$TMPDIR"
}
trap cleanup EXIT
if ! command -v "$TARGET" >/dev/null 2>&1 && [ ! -x "$TARGET" ]; then
echo "UNKNOWN: comm binary not found: $TARGET"
exit 2
fi
# Resolve command path if a bare command name was given.
if command -v "$TARGET" >/dev/null 2>&1; then
BIN="$(command -v "$TARGET")"
else
BIN="$TARGET"
fi
VER_OUT="$($BIN --version 2>/dev/null | head -n 2)"
if [ -z "$VER_OUT" ]; then
echo "UNKNOWN: unable to read version from $BIN"
exit 2
fi
# If this is clearly GNU comm, it's not affected by this uutils-only CVE.
if printf '%s' "$VER_OUT" | grep -qi 'GNU coreutils'; then
echo "PATCHED: GNU coreutils detected at $BIN (not affected by CVE-2026-35346)"
exit 0
fi
# If this is clearly uutils >= 0.6.0, treat as patched.
if printf '%s' "$VER_OUT" | grep -qi 'uutils'; then
UVER="$(printf '%s\n' "$VER_OUT" | sed -n 's/.*uutils[^0-9]*\([0-9][0-9.]*\).*/\1/p' | head -n1)"
if [ -n "$UVER" ]; then
awk -v v="$UVER" 'BEGIN {
split(v,a,".");
maj=a[1]+0; min=a[2]+0; pat=a[3]+0;
if (maj>0 || (maj==0 && min>=6)) exit 0; else exit 1;
}'
if [ $? -eq 0 ]; then
echo "PATCHED: uutils version $UVER detected at $BIN (>= 0.6.0)"
exit 0
fi
fi
fi
# Behavioral test from the public repro: vulnerable versions replace invalid bytes.
printf '\376\n\377\n' > "$A"
printf '\377\n\376\n' > "$B"
if ! "$BIN" "$A" "$B" > "$OUT" 2> "$ERR"; then
echo "UNKNOWN: test execution failed for $BIN"
if [ -s "$ERR" ]; then
echo "UNKNOWN detail: $(tr '\n' ' ' < "$ERR")"
fi
exit 2
fi
HEX="$(od -An -tx1 -v "$OUT" | tr -d ' \n')"
EXPECTED_PATCHED="0909ff0a0909fe0a"
if [ "$HEX" = "$EXPECTED_PATCHED" ]; then
echo "PATCHED: raw-byte output preserved; behavior matches fixed/GNU comm"
exit 0
fi
if printf '%s' "$HEX" | grep -qi 'efbfbd'; then
echo "VULNERABLE: output contains UTF-8 replacement bytes (efbfbd), indicating lossy conversion"
exit 1
fi
echo "UNKNOWN: unexpected output pattern from $BIN"
echo "UNKNOWN detail: hex=$HEX"
exit 2
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, do not burn emergency patch bandwidth on this one. Under the noisgate mitigation SLA, IGNORE means no action required; document rationale only. Under the noisgate remediation SLA, there is likewise no required remediation window; just fold
uutils coreutils updates into normal maintenance, and only fast-track testing or package pinning if you know you run byte-sensitive comm workflows on Ubuntu 24.04/25.10 or other uutils deployments.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.