CVE-2026-35366 MEDIUM

CVE-2026-35366: uutils coreutils printenv Security Inspection Bypass via UTF-8 Enforcement

Vendor Uutils
Product coreutils
Weakness CWE-754
Published April 22, 2026
Last update April 22, 2026

CVSS base score

4.4/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated