Environment Variable Handling Flaw in Uutils Coreutils
CVE-2026-35366

4.4MEDIUM

Key Information:

Vendor

Uutils

Status
Coreutils
Vendor
CVE Published:
22 April 2026

What is CVE-2026-35366?

The printenv utility within Uutils Coreutils exhibits a flaw where it fails to properly display environment variables that contain invalid UTF-8 byte sequences. Despite the POSIX specification allowing arbitrary bytes in environment strings, the implementation opts to silently omit these entries instead of printing them in their raw form. This behavior enables malicious actors to exploit the utility by injecting harmful environment variables, such as adversarial LD_PRELOAD values, that can evade detection from systemic inspections or administrative scrutiny. As a result, there exists the risk of library injection attacks and other threats stemming from overlooked environment configuration.

Affected Version(s)

coreutils Linux 0 < 0.6.0

References

https://github.com/uutils/coreutils/issues/9701
issue-tracking
https://github.com/uutils/coreutils/pull/9728
patch
https://github.com/uutils/coreutils/releases/tag/0.6.0
vendor-advisory

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zellic
.