CVE-2026-35366: Security Inspection Bypass in uutils coreutils printenv via non-UTF-8 Environment Variables
Vulnerability ID: CVE-2026-35366
CVSS Score: 4.4
Published: 2026-07-06
A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.
TL;DR
Prior to version 0.6.0, the Rust implementation of printenv silently filters out environment variables that contain invalid UTF-8 byte sequences, allowing attackers to hide malicious environmental settings from security audits.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-754
- Attack Vector: Local
- CVSS v3.1 Score: 4.4
- EPSS Score: 0.0017 (0.17%)
- Impact: Defense Evasion / Inspection Bypass
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- POSIX-compliant systems using uutils coreutils printenv prior to version 0.6.0
- Security auditing tools relying on uutils coreutils printenv outputs
-
coreutils: < 0.6.0 (Fixed in:
0.6.0)
Code Analysis
Commit: 0bfbbc0
printenv: Fix issues with invalid UTF-8 variables by using env::vars_os() and writing raw byte streams to stdout
Mitigation Strategies
- Upgrade uutils coreutils to version 0.6.0 or later.
- Audit active process environment blocks using kernel-level interfaces like /proc instead of vulnerable utilities.
- Avoid using standard Rust String types for handling operating system environment interfaces in system utilities.
Remediation Steps:
- Locate systems running uutils coreutils.
- Update the package to version 0.6.0 or later using the appropriate system package manager or Cargo.
- For temporary auditing, use 'cat /proc//environ | tr "\0" "\n"' to securely examine environments in a raw byte format.
References
- uutils coreutils Issue #9701: printenv skips environment variables with invalid UTF-8
- uutils coreutils Release 0.6.0
- CVE-2026-35366 Record
- NVD Advisory for CVE-2026-35366
Read the full report for CVE-2026-35366 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)