CVE-2026-35366
Environment Variable Handling Flaw in uutils printenv Enables Evasion
Publication date: 2026-04-22
Last updated on: 2026-05-04
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows malicious environment variables containing invalid UTF-8 byte sequences to evade inspection by administrators or security auditing tools. As a result, environment-based attacks such as library injection may go undetected.
Because security auditing and monitoring are critical components of compliance with standards like GDPR and HIPAA, this vulnerability could impair an organization's ability to detect and respond to certain attacks, potentially affecting compliance with these regulations.
Can you explain this vulnerability to me?
The vulnerability exists in the printenv utility of uutils coreutils, which fails to display environment variables that contain invalid UTF-8 byte sequences.
Although POSIX allows environment strings to contain arbitrary bytes, the uutils implementation silently skips these entries instead of printing the raw bytes.
This behavior allows malicious environment variables, such as adversarial LD_PRELOAD values, to evade inspection by administrators or security auditing tools.
As a result, attacks like library injection or other environment-based exploits can go undetected.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing malicious environment variables to remain hidden from inspection tools and administrators.
Such hidden variables can be used to perform attacks like library injection, potentially compromising system integrity or security.
Because these malicious entries are skipped silently, it increases the risk that environment-based attacks go unnoticed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if environment variables containing invalid UTF-8 byte sequences are being hidden by the uutils printenv utility.
A practical detection method is to set an environment variable with invalid UTF-8 bytes and observe the output of printenv.
- Set an environment variable with invalid UTF-8 bytes, for example: LD_PRELOAD=/tmp/lib.so\xff
- Run GNU printenv and verify it displays the variable and exits with status 0.
- Run uutils printenv and check if it hides the variable and exits with status 1, indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix for CVE-2026-35366.
The fix modifies printenv to correctly handle and display environment variables containing invalid UTF-8 sequences instead of skipping them.
This ensures that all environment variables are visible and can be inspected, preventing stealthy or malicious environment-based attacks.
If immediate update is not possible, consider using GNU printenv as a temporary workaround since it correctly displays such variables.