{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35377", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.089Z", "datePublished": "2026-04-22T16:09:12.220Z", "dateUpdated": "2026-04-22T17:01:09.526Z"}, "containers": {"cna": {"title": "uutils coreutils env Local Denial of Service via Improper Handling of Backslashes in Split-String Mode", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153: Input Data Manipulation"}]}], "descriptions": [{"lang": "en", "value": "A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\\\ and \\'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an \"invalid sequence\" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \\a or \\x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations."}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11512", "tags": ["issue-tracking", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:09:12.220Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:00:56.507647Z", "id": "CVE-2026-35377", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:01:09.526Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:00:56.507647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:01:00.614Z"}}], "cna": {"title": "uutils coreutils env Local Denial of Service via Improper Handling of Backslashes in Split-String Mode", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153: Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11512", "tags": ["issue-tracking", "patch"]}], "descriptions": [{"lang": "en", "value": "A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\\\ and \\'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an \"invalid sequence\" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \\a or \\x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:09:12.220Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35377", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:01:09.526Z", "dateReserved": "2026-04-02T12:58:56.089Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:09:12.220Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\\\ and \\'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an \"invalid sequence\" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \\a or \\x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations."}], "id": "CVE-2026-35377", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:42.577", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/pull/11512"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:01:42.777993+00:00", "value": {"mitigation_remediation": ["Upgrade uutils coreutils to the latest release that includes the fixed env implementation.", "Avoid using the -S option with backslashes in scripts that rely on env; instead, escape characters explicitly or rewrite the command to bypass split-string processing.", "If an update is unavailable, temporarily replace the uutils env utility with GNU coreutils env, which correctly handles backslashes and maintains expected behavior."], "summary": {"action": "Update", "impact": "Local Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is the env utility within Uutils:coreutils. Any version of uutils coreutils containing the buggy env implementation is susceptible; the exact affected versions are not specified in the advisory.", "description_and_impact": "A logic error in the env utility of uutils coreutils causes the split-string option to misinterpret backslashes. While GNU env treats backslashes within single quotes literally, uutils tries to validate these sequences and produces an \"invalid sequence\" error, terminating the process with exit status 125 when it encounters valid but unrecognized sequences such as \\a or \\x. This incompatibility disrupts automated scripts and administrative workflows that rely on standard split-string semantics, thereby creating a local denial of service for operations that invoke this option.", "risk_and_exploitability": "The CVSS score of 3.3 indicates a low severity vulnerability. No EPSS score is available and the issue is not listed in CISA KEV, suggesting a low likelihood of widespread exploitation. The attack vector is local, requiring the attacker to execute the env command with the split-string option on an affected system. As the vulnerability only causes a process termination, its impact is limited to service disruption of the specific task using this utility and does not expose sensitive data or allow further privilege escalation."}}}}, "created": "2026-04-22T18:15:15.480178+00:00", "updated": "2026-04-22T18:15:15.480190+00:00", "vendors": []}