{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89364?format=json","vulnerability_id":"VCID-3kqw-6xu4-ske7","summary":"uutils coreutils' comm utility incorrectly consumes data from non-regular file inputs before performing comparison operations\nThe comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.","aliases":[{"alias":"CVE-2026-35347"},{"alias":"GHSA-rx8h-33gr-vhj9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1153909?format=json","purl":"pkg:cargo/coreutils@0.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/coreutils@0.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/127904?format=json","purl":"pkg:deb/debian/rust-coreutils@0.6.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-coreutils@0.6.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/127902?format=json","purl":"pkg:deb/debian/rust-coreutils@0.9.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-coreutils@0.9.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1167825?format=json","purl":"pkg:deb/debian/rust-coreutils@0.9.0-3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-coreutils@0.9.0-3"},{"url":"http://public2.vulnerablecode.io/api/packages/1076599?format=json","purl":"pkg:deb/debian/rust-coreutils@0.9.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-coreutils@0.9.0-3%3Fdistro=trixie"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/127900?format=json","purl":"pkg:deb/debian/rust-coreutils@0.0.17-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ys1-jcj5-5ue1"},{"vulnerability":"VCID-3kqw-6xu4-ske7"},{"vulnerability":"VCID-3x6y-496s-2bcw"},{"vulnerability":"VCID-4kut-uqhp-xqgu"},{"vulnerability":"VCID-7fnt-umjt-3ucr"},{"vulnerability":"VCID-97ct-6a1p-2ycf"},{"vulnerability":"VCID-9maq-vmgc-kqfn"},{"vulnerability":"VCID-bxw8-58qx-afc5"},{"vulnerability":"VCID-d19w-v1ga-efdk"},{"vulnerability":"VCID-d3wx-e9a9-hfan"},{"vulnerability":"VCID-fae5-cdsr-byaz"},{"vulnerability":"VCID-g63c-c256-t3cg"},{"vulnerability":"VCID-hs5h-bujn-z3de"},{"vulnerability":"VCID-hxgd-qn4k-5fhg"},{"vulnerability":"VCID-jfhj-nm7g-d7cs"},{"vulnerability":"VCID-jy1y-gbrd-a3ed"},{"vulnerability":"VCID-kbex-n9yj-rqgp"},{"vulnerability":"VCID-kh1b-byc2-63fj"},{"vulnerability":"VCID-kk6m-5ac5-ukdz"},{"vulnerability":"VCID-nxk9-m5af-bqfn"},{"vulnerability":"VCID-pqdd-nbkm-7bbk"},{"vulnerability":"VCID-qgbp-juhk-bbd6"},{"vulnerability":"VCID-qkuk-1t1k-pua5"},{"vulnerability":"VCID-spk7-mgfp-7qa8"},{"vulnerability":"VCID-tbqj-1kcm-qfh9"},{"vulnerability":"VCID-tuf2-8pym-4kh1"},{"vulnerability":"VCID-u98c-dnhk-gqch"},{"vulnerability":"VCID-wavb-8nd9-xqfn"},{"vulnerability":"VCID-wqw2-x3vx-uyba"},{"vulnerability":"VCID-ygac-1pj8-f3e2"},{"vulnerability":"VCID-ygw8-uxks-d3hv"},{"vulnerability":"VCID-z8qu-wd1z-xqhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-coreutils@0.0.17-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/195564?format=json","purl":"pkg:deb/debian/rust-coreutils@0.0.17-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ys1-jcj5-5ue1"},{"vulnerability":"VCID-3kqw-6xu4-ske7"},{"vulnerability":"VCID-3x6y-496s-2bcw"},{"vulnerability":"VCID-4kut-uqhp-xqgu"},{"vulnerability":"VCID-7fnt-umjt-3ucr"},{"vulnerability":"VCID-97ct-6a1p-2ycf"},{"vulnerability":"VCID-9maq-vmgc-kqfn"},{"vulnerability":"VCID-bxw8-58qx-afc5"},{"vulnerability":"VCID-d19w-v1ga-efdk"},{"vulnerability":"VCID-d3wx-e9a9-hfan"},{"vulnerability":"VCID-fae5-cdsr-byaz"},{"vulnerability":"VCID-g63c-c256-t3cg"},{"vulnerability":"VCID-hs5h-bujn-z3de"},{"vulnerability":"VCID-hxgd-qn4k-5fhg"},{"vulnerability":"VCID-jfhj-nm7g-d7cs"},{"vulnerability":"VCID-jy1y-gbrd-a3ed"},{"vulnerability":"VCID-kbex-n9yj-rqgp"},{"vulnerability":"VCID-kh1b-byc2-63fj"},{"vulnerability":"VCID-kk6m-5ac5-ukdz"},{"vulnerability":"VCID-nxk9-m5af-bqfn"},{"vulnerability":"VCID-pqdd-nbkm-7bbk"},{"vulnerability":"VCID-qgbp-juhk-bbd6"},{"vulnerability":"VCID-qkuk-1t1k-pua5"},{"vulnerability":"VCID-spk7-mgfp-7qa8"},{"vulnerability":"VCID-tbqj-1kcm-qfh9"},{"vulnerability":"VCID-tuf2-8pym-4kh1"},{"vulnerability":"VCID-u98c-dnhk-gqch"},{"vulnerability":"VCID-wavb-8nd9-xqfn"},{"vulnerability":"VCID-wqw2-x3vx-uyba"},{"vulnerability":"VCID-ygac-1pj8-f3e2"},{"vulnerability":"VCID-ygw8-uxks-d3hv"},{"vulnerability":"VCID-z8qu-wd1z-xqhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-coreutils@0.0.17-2"},{"url":"http://public2.vulnerablecode.io/api/packages/127901?format=json","purl":"pkg:deb/debian/rust-coreutils@0.0.30-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ys1-jcj5-5ue1"},{"vulnerability":"VCID-3kqw-6xu4-ske7"},{"vulnerability":"VCID-3x6y-496s-2bcw"},{"vulnerability":"VCID-4kut-uqhp-xqgu"},{"vulnerability":"VCID-7fnt-umjt-3ucr"},{"vulnerability":"VCID-97ct-6a1p-2ycf"},{"vulnerability":"VCID-9maq-vmgc-kqfn"},{"vulnerability":"VCID-bxw8-58qx-afc5"},{"vulnerability":"VCID-d19w-v1ga-efdk"},{"vulnerability":"VCID-d3wx-e9a9-hfan"},{"vulnerability":"VCID-fae5-cdsr-byaz"},{"vulnerability":"VCID-g63c-c256-t3cg"},{"vulnerability":"VCID-hs5h-bujn-z3de"},{"vulnerability":"VCID-hxgd-qn4k-5fhg"},{"vulnerability":"VCID-jfhj-nm7g-d7cs"},{"vulnerability":"VCID-jy1y-gbrd-a3ed"},{"vulnerability":"VCID-kbex-n9yj-rqgp"},{"vulnerability":"VCID-kh1b-byc2-63fj"},{"vulnerability":"VCID-kk6m-5ac5-ukdz"},{"vulnerability":"VCID-nxk9-m5af-bqfn"},{"vulnerability":"VCID-pqdd-nbkm-7bbk"},{"vulnerability":"VCID-qgbp-juhk-bbd6"},{"vulnerability":"VCID-qkuk-1t1k-pua5"},{"vulnerability":"VCID-spk7-mgfp-7qa8"},{"vulnerability":"VCID-tbqj-1kcm-qfh9"},{"vulnerability":"VCID-tuf2-8pym-4kh1"},{"vulnerability":"VCID-u98c-dnhk-gqch"},{"vulnerability":"VCID-wavb-8nd9-xqfn"},{"vulnerability":"VCID-wqw2-x3vx-uyba"},{"vulnerability":"VCID-ygac-1pj8-f3e2"},{"vulnerability":"VCID-ygw8-uxks-d3hv"},{"vulnerability":"VCID-z8qu-wd1z-xqhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-coreutils@0.0.30-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/195565?format=json","purl":"pkg:deb/debian/rust-coreutils@0.0.30-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ys1-jcj5-5ue1"},{"vulnerability":"VCID-3kqw-6xu4-ske7"},{"vulnerability":"VCID-3x6y-496s-2bcw"},{"vulnerability":"VCID-4kut-uqhp-xqgu"},{"vulnerability":"VCID-7fnt-umjt-3ucr"},{"vulnerability":"VCID-97ct-6a1p-2ycf"},{"vulnerability":"VCID-9maq-vmgc-kqfn"},{"vulnerability":"VCID-bxw8-58qx-afc5"},{"vulnerability":"VCID-d19w-v1ga-efdk"},{"vulnerability":"VCID-d3wx-e9a9-hfan"},{"vulnerability":"VCID-fae5-cdsr-byaz"},{"vulnerability":"VCID-g63c-c256-t3cg"},{"vulnerability":"VCID-hs5h-bujn-z3de"},{"vulnerability":"VCID-hxgd-qn4k-5fhg"},{"vulnerability":"VCID-jfhj-nm7g-d7cs"},{"vulnerability":"VCID-jy1y-gbrd-a3ed"},{"vulnerability":"VCID-kbex-n9yj-rqgp"},{"vulnerability":"VCID-kh1b-byc2-63fj"},{"vulnerability":"VCID-kk6m-5ac5-ukdz"},{"vulnerability":"VCID-nxk9-m5af-bqfn"},{"vulnerability":"VCID-pqdd-nbkm-7bbk"},{"vulnerability":"VCID-qgbp-juhk-bbd6"},{"vulnerability":"VCID-qkuk-1t1k-pua5"},{"vulnerability":"VCID-spk7-mgfp-7qa8"},{"vulnerability":"VCID-tbqj-1kcm-qfh9"},{"vulnerability":"VCID-tuf2-8pym-4kh1"},{"vulnerability":"VCID-u98c-dnhk-gqch"},{"vulnerability":"VCID-wavb-8nd9-xqfn"},{"vulnerability":"VCID-wqw2-x3vx-uyba"},{"vulnerability":"VCID-ygac-1pj8-f3e2"},{"vulnerability":"VCID-ygw8-uxks-d3hv"},{"vulnerability":"VCID-z8qu-wd1z-xqhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-coreutils@0.0.30-2"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35347","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06873","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06843","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06837","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06889","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06885","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35347"},{"reference_url":"https://github.com/uutils/coreutils","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/uutils/coreutils"},{"reference_url":"https://github.com/uutils/coreutils/commit/75f45e87e52ed95840494963ab9a28651165d56e","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/uutils/coreutils/commit/75f45e87e52ed95840494963ab9a28651165d56e"},{"reference_url":"https://github.com/uutils/coreutils/pull/9545","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:11:26Z/"}],"url":"https://github.com/uutils/coreutils/pull/9545"},{"reference_url":"https://github.com/uutils/coreutils/releases/tag/0.6.0","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:11:26Z/"}],"url":"https://github.com/uutils/coreutils/releases/tag/0.6.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35347","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35347"},{"reference_url":"https://github.com/advisories/GHSA-rx8h-33gr-vhj9","reference_id":"GHSA-rx8h-33gr-vhj9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rx8h-33gr-vhj9"}],"weaknesses":[{"cwe_id":20,"name":"Improper Input Validation","description":"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3kqw-6xu4-ske7"}