CVE-2026-35366

Source
https://cve.org/CVERecord?id=CVE-2026-35366
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35366.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35366
Aliases
Downstream
Published
2026-04-22T16:08:43.746Z
Modified
2026-07-08T08:12:58.301922960Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
uutils coreutils printenv Security Inspection Bypass via UTF-8 Enforcement
Details

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35366.json",
    "cna_assigner": "canonical",
    "cwe_ids": [
        "CWE-754"
    ]
}
References

Affected packages

Git / github.com/uutils/coreutils

Affected ranges

Type
GIT
Repo
https://github.com/uutils/coreutils
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.6.0"
        }
    ]
}

Affected versions

0.*
0.0.1
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.2
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.3
0.0.30
0.0.30-delete
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.1.0
0.2.0
0.2.2
0.3.0
0.4.0
0.5.0
Other
latest-commit

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35366.json"