CVE-2026-35377
Logic Error in uutils coreutils env Causes Local DoS
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a failure in the uutils coreutils env utility when using the -S (split-string) option, causing an "invalid sequence" error and process termination with exit status 125 upon encountering certain valid but unrecognized escape sequences.
To detect this vulnerability on your system, you can test the behavior of the env command with the -S option and escape sequences inside single quotes.
- Run a command like: env -S"printf %s '\x'"
- If the command exits with status 125 and reports an "invalid sequence" error, the vulnerable version of uutils coreutils is present.
- In contrast, a non-vulnerable (GNU-compatible) env command will print \x literally without error.
Can you explain this vulnerability to me?
This vulnerability is a logic error in the env utility of uutils coreutils related to the -S (split-string) option. Unlike GNU env, which treats backslashes within single quotes mostly literally, the uutils version incorrectly tries to validate these sequences. This causes valid but unrecognized sequences like \a or \x to trigger an "invalid sequence" error, causing the process to terminate immediately with exit status 125.
This behavior diverges from GNU env and breaks compatibility with automated scripts and administrative workflows that depend on the standard split-string semantics.
How can this vulnerability impact me? :
The vulnerability can lead to a local denial of service by causing processes that use the env utility with the -S option to terminate unexpectedly when encountering certain valid escape sequences.
This can disrupt automated scripts and administrative workflows that rely on the expected behavior of the env utility, potentially causing operational interruptions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described is a logic error in the env utility of uutils coreutils that causes a local denial of service by terminating processes unexpectedly when parsing certain command-line arguments. It does not involve unauthorized access, data leakage, or modification of sensitive information.
Given the nature of this vulnerability, there is no direct indication that it impacts compliance with common standards and regulations such as GDPR or HIPAA, which primarily focus on data protection, privacy, and integrity.
However, the denial of service could potentially disrupt administrative workflows or automated scripts, which might indirectly affect operational compliance if critical processes are interrupted.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the uutils coreutils package to a version that includes the fix for CVE-2026-35377.
The fix corrects the parsing of the -S/--split-string option and the handling of backslashes in single quotes to match GNU behavior, preventing the invalid sequence errors and process termination.
If an update is not immediately available, avoid using the env command with the -S option containing escape sequences that trigger the issue.
Review and modify automated scripts or administrative workflows that rely on env -S to prevent local denial of service caused by this vulnerability.