The comm utility in uutils coreutils performs a pre‑read on both input paths by calling are_files_identical without first verifying that the paths refer to regular files. If one of the inputs is a FIFO, pipe, or another non‑regular stream, this initial read drains the data that would otherwise be compared, causing silent data loss. Additionally, the utility may block indefinitely when it attempts to pre‑read from infinite streams such as /dev/zero, resulting in a denial of service. The flaw is a classic fail‑safety oversight (CWE‑20).

Uutils coreutils, specifically the comm command. All releases before the fix present in the 0.6.0 release are vulnerable. Users should upgrade to version 0.6.0 or later to eliminate the pre‑read logic, or use an alternative that does not accept non‑regular file inputs for comparison.

The CVSS score of 4.4 indicates low severity. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no public exploitation. The vulnerability can be triggered only when a local user supplies a non‑regular file descriptor—such as a FIFO or pipe—to the comm command. Because the attacker must have local access or the ability to provide such streams, the overall risk remains moderate and is confined to accidental data loss or service interruption within the affected environment.