Skip to main content

uutils coreutils CVE-2026-35366

| EUVDEUVD-2026-25014 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:04 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25014
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 4.4

DescriptionCVE.org

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

AnalysisAI

The printenv utility in uutils coreutils versions before 0.6.0 silently omits environment variables containing invalid UTF-8 byte sequences, allowing adversarial environment variables such as malicious LD_PRELOAD values to evade inspection by administrators and security auditing tools. This evasion capability enables library injection and other environment-based attacks to bypass detection, affecting systems that rely on printenv for security auditing or environment validation. The vulnerability requires local access with unprivileged user privileges (PR:L) to exploit and carries a CVSS score of 4.4 with confirmed proof-of-concept availability.

Technical ContextAI

The vulnerability stems from improper handling of UTF-8 validation in the printenv utility. While POSIX standards explicitly permit arbitrary byte sequences in environment variables, uutils coreutils implements a validation layer that silently discards environment entries failing UTF-8 decoding rather than printing raw bytes as-is. This behavior violates the principle of complete environment introspection and creates a blind spot for security tools. The underlying issue is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions), reflecting the failure to handle the exceptional but valid case of non-UTF-8 environment data. The affected product is the uutils coreutils project (CPE: cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:*), a Rust-based rewrite of GNU coreutils utilities that aims for POSIX compliance but diverges in this edge case.

RemediationAI

Vendor-released patch: uutils coreutils version 0.6.0 and later. Upgrade the affected package to version 0.6.0 or newer from the official repository at https://github.com/uutils/coreutils/releases/tag/0.6.0. For systems unable to upgrade immediately, implement compensating controls by replacing reliance on printenv for security auditing with alternative introspection methods: use /proc/[pid]/environ on Linux (which preserves raw bytes), invoke strace to observe environment setup at process launch, or employ LSM-based auditing (AppArmor, SELinux) to monitor environment variable injection attempts. These alternatives provide byte-accurate environment inspection and detect injection attempts even when printenv would be blind. The trade-off is increased operational complexity and resource consumption (strace on production systems). Until patched, assume that printenv output on systems running uutils coreutils is incomplete and should not be the sole basis for environment validation decisions.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy