{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35366", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:08:43.746Z", "dateUpdated": "2026-04-22T17:50:09.879Z"}, "containers": {"cna": {"title": "uutils coreutils printenv Security Inspection Bypass via UTF-8 Enforcement", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "versions": [{"status": "affected", "lessThan": "0.6.0", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176: Configuration/Environment Manipulation"}]}], "descriptions": [{"lang": "en", "value": "The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/9701", "tags": ["issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/pull/9728", "tags": ["patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:43.746Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/9701", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:50:05.095688Z", "id": "CVE-2026-35366", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:50:09.879Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35366", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:50:05.095688Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/issues/9701", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:49:59.355Z"}}], "cna": {"title": "uutils coreutils printenv Security Inspection Bypass via UTF-8 Enforcement", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176: Configuration/Environment Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "versions": [{"status": "affected", "version": "0", "lessThan": "0.6.0", "versionType": "semver"}], "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/uutils/coreutils/issues/9701", "tags": ["issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/pull/9728", "tags": ["patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:43.746Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35366", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:50:09.879Z", "dateReserved": "2026-04-02T12:58:56.088Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:08:43.746Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected."}], "id": "CVE-2026-35366", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:40.167", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/issues/9701"}, {"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/pull/9728"}, {"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/releases/tag/0.6.0"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/uutils/coreutils/issues/9701"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:06:35.396031+00:00", "value": {"mitigation_remediation": ["Upgrade uutils coreutils to version 0.6.0 or later to include the printenv fix", "Configure auditing or monitoring tools to flag environment variables that contain invalid UTF\u20118 or enforce strict encoding checks", "Limit or sanitize the usage of environment variables such as LD_PRELOAD in high\u2011risk deployment scenarios"], "summary": {"action": "Update", "impact": "Bypassing Security Inspection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Uutils coreutils package, specifically the printenv utility. No specific version was enumerated in the CNA data, but the fix was incorporated in the 0.6.0 release referenced in the advisory. Users of earlier releases are affected. ", "description_and_impact": "The printenv utility in uutils coreutils fails to display environment variables that contain invalid UTF-8 byte sequences. While POSIX allows arbitrary bytes in environment strings, the implementation silently skips entries rather than printing the raw data. This creates a scenario where malicious environment variables\u2014such as crafted LD_PRELOAD values\u2014can avoid administrator or audit detection, potentially enabling library injection or other environment\u2011based attacks. The weakness is a classic example of CWE\u2011754, improper encoding. ", "risk_and_exploitability": "The CVSS score of 4.4 indicates a medium severity, and the EPSS entry is not available, suggesting no publicly reported exploitation yet. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is a local or privileged context where an adversary can inject environment variables that the system should audit. With the current implementation silently discarding ill\u2011formed entries, such injected variables could go undetected, leading to potential library injection or similar attacks. Note that the exploitation requires the attacker to control or influence environment variables that the target process uses."}}}}, "created": "2026-04-22T18:15:15.482266+00:00", "updated": "2026-04-22T18:15:15.482276+00:00", "vendors": []}