Description

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

INFO

Published Date :

2026-04-22T16:08:43.746Z

Last Modified :

2026-04-22T17:50:09.879Z

Source :

canonical
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35366 vulnerability.

Vendors Products
Uutils
  • Coreutils
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35366.

URL Resource
https://github.com/uutils/coreutils/issues/9701 cve-icon cve-icon cve-icon
https://github.com/uutils/coreutils/pull/9728 cve-icon cve-icon
https://github.com/uutils/coreutils/releases/tag/0.6.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact