DEBIAN-CVE-2026-35366

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-35366

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35366.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-35366

Upstream

CVE-2026-35366

Published

2026-04-22T17:16:40.167Z

Modified

2026-06-11T09:04:07.903804895Z

Summary

[none]

Details

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

References

https://security-tracker.debian.org/tracker/CVE-2026-35366

Affected packages

Debian:12 / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/debian/rust-coreutils?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.17-2

0.0.17-3

0.0.17-4

0.0.17-5

0.0.17-6

0.0.19-1

0.0.19-2

0.0.19-3

0.0.20-1

0.0.21-1

0.0.22-1

0.0.23-1

0.0.23-2

0.0.23-3

0.0.24-1

0.0.24-2

0.0.26-1

0.0.26-2

0.0.26-3

0.0.26-4

0.0.26-5

0.0.27-1

0.0.27-2

0.0.27-3

0.0.30-1

0.0.30-2

0.0.30-3~exp1

0.0.30-3

0.0.30-4

0.6.0-1

0.7.0-1

0.8.0-1

0.8.0-2

0.8.0-3

0.8.0-4

0.8.0-5

0.8.0-6

0.9.0-1

0.9.0-2

0.9.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35366.json"

Debian:13 / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/debian/rust-coreutils?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.30-2

0.0.30-3~exp1

0.0.30-3

0.0.30-4

0.6.0-1

0.7.0-1

0.8.0-1

0.8.0-2

0.8.0-3

0.8.0-4

0.8.0-5

0.8.0-6

0.9.0-1

0.9.0-2

0.9.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35366.json"

Debian:14 / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/debian/rust-coreutils?arch=source&distro=forky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.0-1

Affected versions

0.*

0.0.30-2

0.0.30-3~exp1

0.0.30-3

0.0.30-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35366.json"