CVE-2026-35346

Name of the Vulnerable Software and Affected Versions uutils coreutils (affected versions not specified)

Description The comm utility silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation utilizes the String::from utf8 lossy() function, which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior leads to corrupted output when comparing binary files or files that use non-UTF-8 legacy encodings, as it does not preserve original raw bytes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.