Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged
Permalink CVE-2026-35344
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 days, 10 hours ago Activity log
  • Created suggestion 6 days, 10 hours ago
uutils coreutils dd Silent Data Corruption via Unconditional Truncation Error Suppression

The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.

Affected products

coreutils

Matching in nixpkgs

pkgs.coreutils

GNU Core Utilities

  • nixos-unstable 9.10
    • nixpkgs-unstable 9.10
    • nixos-unstable-small 9.10
  • nixos-25.11 9.8
    • nixos-25.11-small 9.8
    • nixpkgs-25.11-darwin 9.8