Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.
AnalysisAI
The printenv utility in uutils coreutils versions before 0.6.0 silently omits environment variables containing invalid UTF-8 byte sequences, allowing adversarial environment variables such as malicious LD_PRELOAD values to evade inspection by administrators and security auditing tools. This evasion capability enables library injection and other environment-based attacks to bypass detection, affecting systems that rely on printenv for security auditing or environment validation. The vulnerability requires local access with unprivileged user privileges (PR:L) to exploit and carries a CVSS score of 4.4 with confirmed proof-of-concept availability.
Technical ContextAI
The vulnerability stems from improper handling of UTF-8 validation in the printenv utility. While POSIX standards explicitly permit arbitrary byte sequences in environment variables, uutils coreutils implements a validation layer that silently discards environment entries failing UTF-8 decoding rather than printing raw bytes as-is. This behavior violates the principle of complete environment introspection and creates a blind spot for security tools. The underlying issue is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions), reflecting the failure to handle the exceptional but valid case of non-UTF-8 environment data. The affected product is the uutils coreutils project (CPE: cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:*), a Rust-based rewrite of GNU coreutils utilities that aims for POSIX compliance but diverges in this edge case.
RemediationAI
Vendor-released patch: uutils coreutils version 0.6.0 and later. Upgrade the affected package to version 0.6.0 or newer from the official repository at https://github.com/uutils/coreutils/releases/tag/0.6.0. For systems unable to upgrade immediately, implement compensating controls by replacing reliance on printenv for security auditing with alternative introspection methods: use /proc/[pid]/environ on Linux (which preserves raw bytes), invoke strace to observe environment setup at process launch, or employ LSM-based auditing (AppArmor, SELinux) to monitor environment variable injection attempts. These alternatives provide byte-accurate environment inspection and detect injection attempts even when printenv would be blind. The trade-off is increased operational complexity and resource consumption (strace on production systems). Until patched, assume that printenv output on systems running uutils coreutils is incomplete and should not be the sole basis for environment validation decisions.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25014
GHSA-7259-cwhx-3xx3