Description
The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.
Published: 2026-04-22
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Data Corruption
Action: Assess
AI Analysis

Impact

The dd utility in uutils coreutils suppresses errors during file truncation by unconditionally treating the operation as successful. This behavior unintentionally hides failures on regular files and directories caused by full disks or read‑only file systems. The result is that scripts performing backups or migrations may report success while the destination file remains unchanged or contains garbage, leading to silent data corruption that can compromise backup integrity and system state.

Affected Systems

The vulnerability affects the uutils coreutils package, specifically its dd component. Version information is not disclosed, so all releases of uutils coreutils that include the current dd implementation are potentially impacted.

Risk and Exploitability

The CVSS score of 3.3 indicates low overall severity, and the EPSS score is not available. This issue is not listed in the CISA KEV catalog. The vulnerability is discovered in a local utility, so the attack vector is likely local or requires privileged execution, such as a compromised user running backup scripts.

Generated by OpenCVE AI on April 22, 2026 at 18:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Use an alternative dd implementation such as GNU coreutils for backup and migration tasks.
  • Verify the integrity of destination files after operations, for example by checking hashes or sizes.
  • Update to a newer version of uutils coreutils once an official patch is released, or apply a local script patch that checks for truncation errors.

Generated by OpenCVE AI on April 22, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.
Title uutils coreutils dd Silent Data Corruption via Unconditional Truncation Error Suppression
Weaknesses CWE-252
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T18:04:46.854Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35344

cve-icon Vulnrichment

Updated: 2026-04-22T18:04:41.439Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:36.490

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:30:23Z

Weaknesses