CVE-2026-35366

NameCVE-2026-35366
DescriptionThe printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-coreutils (PTS)bookworm0.0.17-2vulnerable
trixie0.0.30-2vulnerable
forky0.0.30-4vulnerable
sid0.7.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-coreutilssource(unstable)0.6.0-1

Notes

https://github.com/uutils/coreutils/issues/9701
https://github.com/uutils/coreutils/pull/9728
Fixed by: https://github.com/uutils/coreutils/commit/0bfbbc00c7895c0fb6ea94987b4aab99e3d7ee52 (0.6.0)
Search for package or bug name: Reporting problems