CVE-2026-35344: uutils coreutils has an Unchecked Return Value Issue

April 22, 2026 (updated April 29, 2026)

The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.

References

github.com/advisories/GHSA-wh8p-h9hw-x2mc
github.com/uutils/coreutils
github.com/uutils/coreutils/issues/9745
nvd.nist.gov/vuln/detail/CVE-2026-35344

Code Behaviors & Features

Detect and mitigate CVE-2026-35344 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →