CVE-2026-35366

MEDIUM 4.4

uutils coreutils printenv Security Inspection Bypass via UTF-8 Enforcement

CVSS Score

4.4

EPSS Score

0.0%

EPSS Percentile

0th

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

CWE	CWE-754
Vendor	uutils
Product	coreutils
Published	Apr 22, 2026
Last Updated	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for uutils coreutils

Be the first to know when new medium vulnerabilities affecting uutils coreutils are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Uutils / coreutils

0 < 0.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/uutils/coreutils/issues/9701 github.com: https://github.com/uutils/coreutils/pull/9728 github.com: https://github.com/uutils/coreutils/releases/tag/0.6.0

Credits

Zellic