CVE-2026-35366
MEDIUMuutils coreutils printenv Security Inspection Bypass via UTF-8 Enforcement
Title source: cnaDescription
The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.
References (3)
Core 3
Core References
Issue Tracking issue-tracking
https://github.com/uutils/coreutils/issues/9701
Patch patch
https://github.com/uutils/coreutils/pull/9728
Vendor Advisory vendor-advisory
https://github.com/uutils/coreutils/releases/tag/0.6.0
Scores
CVSS v3
4.4
EPSS
0.0017
EPSS Percentile
6.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-754
Status
published
Products (3)
crates.io/coreutils
0 - 0.6.0crates.io
Uutils/coreutils
< 0.6.0
uutils/coreutils
< 0.6.0
Published
Apr 22, 2026
Tracked Since
Apr 22, 2026