CVE-2026-35366

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.4 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N                                    

Vulnerability Description

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

Vulnerability Details

Published Date

April 22, 2026

Last Modified

April 22, 2026

CWE ID

CWE-754

Source

NVD

Vendor

Uutils

Product

coreutils

External References

https://github.com/uutils/coreutils/issues/9701
https://github.com/uutils/coreutils/pull/9728
https://github.com/uutils/coreutils/releases/tag/0.6.0
https://github.com/uutils/coreutils/issues/9701

CVE-2026-35366

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment