The comm utility in the uutils coreutils package silently corrupts output when it encounters invalid UTF‑8 byte sequences. The implementation uses Rust’s String::from_utf8_lossy(), which replaces such bytes with the Unicode replacement character (U+FFFD). Unlike GNU’s comm, which operates on raw bytes, the uutils comm replaces characters, producing incorrect results for binary files or files encoded with legacy, non‑UTF‑8 encodings. This leads to data corruption that can cause downstream tools or processes that rely on accurate comparisons to make wrong decisions.

Affected systems include the comm utility distributed by the Uutils coreutils project. No specific version range is listed in the advisory, but the issue has been fixed in releases starting with 0.6.0, as evidenced by the referenced pull request and release tag. Users of earlier versions, or those building from the master branch prior to the fix, are vulnerable.

The risk is low; the CVSS score is 3.3, EPSS is not reported, and the vulnerability is not present in the CISA KEV catalog. Exploitation requires local access to the system where comm is executed and is limited to generating corrupted output rather than compromising confidentiality or integrity. The most likely attack vector is an end‑user or automated process that runs comm against binary or legacy‑encoded files and then relies on the output for further processing.