Compliance Impact

The vulnerability described is a logic error in the env utility of uutils coreutils that causes a local denial of service by terminating processes unexpectedly when parsing certain command-line arguments. It does not involve unauthorized access, data leakage, or modification of sensitive information.

Given the nature of this vulnerability, there is no direct indication that it impacts compliance with common standards and regulations such as GDPR or HIPAA, which primarily focus on data protection, privacy, and integrity.

However, the denial of service could potentially disrupt administrative workflows or automated scripts, which might indirectly affect operational compliance if critical processes are interrupted.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a logic error in the env utility of uutils coreutils related to the -S (split-string) option. Unlike GNU env, which treats backslashes within single quotes mostly literally, the uutils version incorrectly tries to validate these sequences. This causes valid but unrecognized sequences like \a or \x to trigger an "invalid sequence" error, causing the process to terminate immediately with exit status 125.

This behavior diverges from GNU env and breaks compatibility with automated scripts and administrative workflows that depend on the standard split-string semantics.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to a local denial of service by causing processes that use the env utility with the -S option to terminate unexpectedly when encountering certain valid escape sequences.

This can disrupt automated scripts and administrative workflows that rely on the expected behavior of the env utility, potentially causing operational interruptions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability manifests as a failure in the uutils coreutils env utility when using the -S (split-string) option, causing an "invalid sequence" error and process termination with exit status 125 upon encountering certain valid but unrecognized escape sequences.

To detect this vulnerability on your system, you can test the behavior of the env command with the -S option and escape sequences inside single quotes.

• Run a command like: env -S"printf %s '\x'"
• If the command exits with status 125 and reports an "invalid sequence" error, the vulnerable version of uutils coreutils is present.
• In contrast, a non-vulnerable (GNU-compatible) env command will print \x literally without error.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves updating the uutils coreutils package to a version that includes the fix for CVE-2026-35377.

The fix corrects the parsing of the -S/--split-string option and the handling of backslashes in single quotes to match GNU behavior, preventing the invalid sequence errors and process termination.

If an update is not immediately available, avoid using the env command with the -S option containing escape sequences that trigger the issue.

Review and modify automated scripts or administrative workflows that rely on env -S to prevent local denial of service caused by this vulnerability.

Useful 0 Not Useful 0