Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
5DescriptionCVE.org
A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.
AnalysisAI
The env utility in uutils coreutils incorrectly rejects valid backslash escape sequences in single-quoted strings when using the -S (split-string) option, terminating with exit status 125 and causing local denial of service for scripts relying on GNU env compatibility. The implementation performs overly strict validation that diverges from GNU behavior, where backslashes outside of \\ and \' are treated literally rather than invalid, breaking automated administrative workflows.
Technical ContextAI
The env utility is a POSIX-standard command-line tool used to execute programs with modified environment variables and to split command strings. The -S option enables split-string mode, where a single argument is parsed as multiple arguments separated by spaces and tabs. GNU env implements shell-like backslash escape handling within single quotes with specific rules: backslashes are literal except for \\, which becomes \, and \', which becomes '. The uutils implementation, which provides Rust-based replacements for GNU coreutils, incorrectly validates backslash sequences and rejects valid ones like \a or \x as errors. This is a CWE-20 (Improper Input Validation) issue where the validation logic is stricter than the specification requires, causing the parser to terminate prematurely rather than interpret sequences according to GNU semantics.
RemediationAI
Apply the patch from uutils coreutils GitHub PR #11512 or upgrade to the next release that includes the fix (specific version number not confirmed in provided references). The upstream fix corrects the backslash validation logic to match GNU env behavior, allowing literal backslashes in single-quoted strings except for \\ and \'. No workarounds are practical because the issue is in core argument parsing; the only temporary mitigation is to avoid the -S option entirely or rewrite scripts to eliminate backslash sequences within split strings, though this may break portability. Since exploitation requires local shell access and no remote vector exists, the remediation priority is medium - suitable for next routine patching window rather than emergency deployment, but should be prioritized for systems running uutils as a drop-in GNU coreutils replacement.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25030
GHSA-5v4g-vw9x-h534