{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35366", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:08:43.746Z", "dateUpdated": "2026-04-22T17:50:09.879Z"}, "containers": {"cna": {"title": "uutils coreutils printenv Security Inspection Bypass via UTF-8 Enforcement", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "versions": [{"status": "affected", "lessThan": "0.6.0", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176: Configuration/Environment Manipulation"}]}], "descriptions": [{"lang": "en", "value": "The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/9701", "tags": ["issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/pull/9728", "tags": ["patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:43.746Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/9701", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:50:05.095688Z", "id": "CVE-2026-35366", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:50:09.879Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35366", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:50:05.095688Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/issues/9701", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:49:59.355Z"}}], "cna": {"title": "uutils coreutils printenv Security Inspection Bypass via UTF-8 Enforcement", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176: Configuration/Environment Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "versions": [{"status": "affected", "version": "0", "lessThan": "0.6.0", "versionType": "semver"}], "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/uutils/coreutils/issues/9701", "tags": ["issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/pull/9728", "tags": ["patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:43.746Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35366", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:50:09.879Z", "dateReserved": "2026-04-02T12:58:56.088Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:08:43.746Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883", "versionEndExcluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected."}], "id": "CVE-2026-35366", "lastModified": "2026-05-04T18:52:42.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:40.167", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/uutils/coreutils/issues/9701"}, {"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/uutils/coreutils/pull/9728"}, {"source": "security@ubuntu.com", "tags": ["Release Notes"], "url": "https://github.com/uutils/coreutils/releases/tag/0.6.0"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/uutils/coreutils/issues/9701"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "unix", "macos"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coreutils", "source": "cna", "vendor": "Uutils"}, "product": "coreutils", "vendor": "uutils"}], "analysis": {"en": {"generated_at": "2026-04-27T08:39:37.566897+00:00", "value": {"mitigation_remediation": ["Upgrade uutils coreutils to version 0.6.0 or later to include the printenv fix", "Configure auditing or monitoring tools to flag environment variables that contain invalid UTF\u20118 or enforce strict encoding checks", "Limit or sanitize the usage of environment variables such as LD_PRELOAD in high\u2011risk deployment scenarios"], "summary": {"action": "Update", "impact": "Bypassing Security Inspection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Uutils coreutils package, specifically the printenv utility. No specific version was enumerated in the CNA data, but the fix was incorporated in the 0.6.0 release referenced in the advisory. Users of earlier releases are affected.", "description_and_impact": "The printenv utility in uutils coreutils fails to display environment variables that contain invalid UTF\u20118 byte sequences. While POSIX permits arbitrary bytes in environment strings, the implementation silently skips these entries rather than printing the raw data. This allows malicious environment variables\u2014such as crafted LD_PRELOAD values\u2014to evade detection by administrators or security\u2011auditing tools, potentially enabling library injection or other environment\u2011based attacks. The weakness is a classic example of improper encoding (CWE\u2011754).", "risk_and_exploitability": "The CVSS score of 4.4 indicates a medium severity, and the EPSS entry is not available, suggesting no publicly reported exploitation yet. The vulnerability is not listed in CISA KEV. The likely attack vector is a local or privileged context where an attacker can inject environment variables that should otherwise be audited. By silently discarding ill\u2011formed entries, the system may allow injected variables to go undetected, leading to potential library injection or similar attacks. Exploitation requires the attacker to control or influence environment variables that the target process uses."}}}}, "created": "2026-04-22T18:15:15.482266+00:00", "updated": "2026-04-27T19:53:40.174504+00:00", "vendors": ["uutils", "uutils$PRODUCT$coreutils"]}