CVE-2026-35366
Received Received - Intake
Environment Variable Handling Flaw in uutils printenv Enables Evasion

Publication date: 2026-04-22

Last updated on: 2026-05-04

Assigner: Canonical Ltd.

Description
The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35366
EUVD
EUVD-2026-25014
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils to 0.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the printenv utility of uutils coreutils, which fails to display environment variables that contain invalid UTF-8 byte sequences.

Although POSIX allows environment strings to contain arbitrary bytes, the uutils implementation silently skips these entries instead of printing the raw bytes.

This behavior allows malicious environment variables, such as adversarial LD_PRELOAD values, to evade inspection by administrators or security auditing tools.

As a result, attacks like library injection or other environment-based exploits can go undetected.

Impact Analysis

This vulnerability can impact you by allowing malicious environment variables to remain hidden from inspection tools and administrators.

Such hidden variables can be used to perform attacks like library injection, potentially compromising system integrity or security.

Because these malicious entries are skipped silently, it increases the risk that environment-based attacks go unnoticed.

Compliance Impact

This vulnerability allows malicious environment variables containing invalid UTF-8 byte sequences to evade inspection by administrators or security auditing tools. As a result, environment-based attacks such as library injection may go undetected.

Because security auditing and monitoring are critical components of compliance with standards like GDPR and HIPAA, this vulnerability could impair an organization's ability to detect and respond to certain attacks, potentially affecting compliance with these regulations.

Detection Guidance

This vulnerability can be detected by checking if environment variables containing invalid UTF-8 byte sequences are being hidden by the uutils printenv utility.

A practical detection method is to set an environment variable with invalid UTF-8 bytes and observe the output of printenv.

  • Set an environment variable with invalid UTF-8 bytes, for example: LD_PRELOAD=/tmp/lib.so\xff
  • Run GNU printenv and verify it displays the variable and exits with status 0.
  • Run uutils printenv and check if it hides the variable and exits with status 1, indicating the vulnerability.
Mitigation Strategies

To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix for CVE-2026-35366.

The fix modifies printenv to correctly handle and display environment variables containing invalid UTF-8 sequences instead of skipping them.

This ensures that all environment variables are visible and can be inspected, preventing stealthy or malicious environment-based attacks.

If immediate update is not possible, consider using GNU printenv as a temporary workaround since it correctly displays such variables.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart