The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.
References
| Link | Resource |
|---|---|
| https://github.com/uutils/coreutils/issues/9701 | Exploit Issue Tracking |
| https://github.com/uutils/coreutils/pull/9728 | Issue Tracking Patch |
| https://github.com/uutils/coreutils/releases/tag/0.6.0 | Release Notes |
| https://github.com/uutils/coreutils/issues/9701 | Exploit Issue Tracking |
Configurations
History
04 May 2026, 18:52
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:* | |
| First Time |
Uutils
Uutils coreutils |
|
| References | () https://github.com/uutils/coreutils/issues/9701 - Exploit, Issue Tracking | |
| References | () https://github.com/uutils/coreutils/pull/9728 - Issue Tracking, Patch | |
| References | () https://github.com/uutils/coreutils/releases/tag/0.6.0 - Release Notes |
22 Apr 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/uutils/coreutils/issues/9701 - |
22 Apr 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-22 17:16
Updated : 2026-05-04 18:52
NVD link : CVE-2026-35366
Mitre link : CVE-2026-35366
CVE.ORG link : CVE-2026-35366
JSON object : View
Products Affected
uutils
- coreutils
CWE
CWE-754
Improper Check for Unusual or Exceptional Conditions