CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-35366

CVE-2026-35366: Security Inspection Bypass in uutils coreutils printenv via non-UTF-8 Environment Variables

Alon Barad
Alon Barad
Software Engineer

Jul 6, 2026·6 min read·4 visits

Executive Summary (TL;DR)

Prior to version 0.6.0, the Rust implementation of printenv silently filters out environment variables that contain invalid UTF-8 byte sequences, allowing attackers to hide malicious environmental settings from security audits.

A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.

Vulnerability Overview

The printenv utility in system administration serves as a standard tool for displaying and auditing the current environment variables of a process. In uutils coreutils—a cross-platform rewrite of GNU coreutils in Rust—this utility is used as a drop-in replacement for the traditional C-based implementation. Because environment variables dictate binary execution behavior, library loading paths, and application configurations, their accurate reporting is crucial for system security monitoring.

On POSIX-compliant operating systems, environment variables are treated as raw, null-terminated byte sequences. However, Rust's standard library enforces strict UTF-8 validation on its default string types. Prior to version 0.6.0, uutils printenv relied on high-level Rust environment APIs that silently discarded any variables containing non-UTF-8 byte sequences.

This behavior exposes a security-relevant semantic gap. A malicious user can define active environment variables containing invalid UTF-8 sequences (such as a library hook inside LD_PRELOAD followed by an invalid byte). While the operating system and system dynamic linkers successfully parse and execute these variables, uutils printenv fails to report them, leading to a complete bypass of security inspection.

Root Cause Analysis

The root cause of CVE-2026-35366 lies in the application-layer handling of platform-native environment blocks. Under the POSIX standard, the global process environment is defined as an array of character pointers (extern char **environ). The kernel and runtime libraries process these pointers as raw byte arrays, requiring only that keys and values are separated by the = character and terminated by a null byte (\0). No character encoding constraints are enforced.

Conversely, the Rust language prioritizes memory safety and type correctness by requiring that the String and str primitives always contain valid UTF-8 sequences. To maintain this guarantee, the standard library functions std::env::vars() and std::env::var() parse the raw system environment and silently skip any variable name or value that fails UTF-8 validation. This behavior prevents application crashes but introduces a silent filtering mechanism.

When uutils printenv utilized these high-level APIs, it inherited this filtering behavior. If an environment block contains a variable such as LD_PRELOAD=/tmp/malicious.so\xff, the vars() iterator silently drops the entire key-value pair. Consequently, the utility exits with a success status but leaves security administrators blind to active runtime configurations that influence dynamic linker behavior.

Code Analysis

The vulnerable implementation of printenv in src/uu/printenv/src/printenv.rs relied on std::env::vars() to retrieve all environment variables, and std::env::var() to fetch specific variables.

// Vulnerable Code Path (Pre-0.6.0)
if variables.is_empty() {
    // std::env::vars() silently filters out non-UTF-8 pairs
    for (env_var, value) in env::vars() {
        print!("{env_var}={value}{separator}");
    }
    return Ok(());
} else {
    for env_var in &variables {
        // std::env::var() returns Err(VarError::NotUnicode) for non-UTF-8 keys/values
        if let Ok(var) = env::var(env_var) {
            print!("{var}{separator}");
        } else {
            error_found = true;
        }
    }
}

The patch in commit 0bfbbc00c7895c0fb6ea94987b4aab99e3d7ee52 resolved this issue by refactoring the module to use the OS-native APIs std::env::vars_os() and std::env::var_os(). These functions return OsString values, preserving raw byte sequences on Unix platforms without requiring UTF-8 conformity.

// Patched Code Path (0.6.0)
if variables.is_empty() {
    // env::vars_os() preserves raw OS-native bytes
    for (env_var, value) in env::vars_os() {
        let env_bytes = os_str_as_bytes(&env_var)?;
        let val_bytes = os_str_as_bytes(&value)?;
        // Directly write raw bytes to stdout to bypass UTF-8 formatting boundaries
        std::io::stdout().lock().write_all(env_bytes)?;
        print!("=");
        std::io::stdout().lock().write_all(val_bytes)?;
        print!("{separator}");
    }
    return Ok(());
} else {
    for env_var in &variables {
        if let Some(var) = env::var_os(env_var) {
            let val_bytes = os_str_as_bytes(&var)?;
            std::io::stdout().lock().write_all(val_bytes)?;
            print!("{separator}");
        } else {
            error_found = true;
        }
    }
}

This implementation uses uucore::os_str_as_bytes to retrieve raw slices. By directly writing these byte slices to stdout via write_all(), the patched utility guarantees that non-UTF-8 variables are rendered in their raw state, matching the behavior of GNU printenv.

Exploitation and Attack Path

To exploit this vulnerability, an attacker must have local execution access to a target system where uutils printenv is utilized as part of security auditing or logging processes. The primary objective is to inject a variable that alters process execution flow while remaining invisible to inspection tools.

An attacker can set a malicious environment variable using non-UTF-8 characters. The Unix dynamic linker (ld.so) processes the environment block as raw bytes, resolving and executing the target payload. The following Mermaid diagram illustrates the execution flow and the inspection bypass:

To replicate this scenario locally on a vulnerable system, execute the following commands:

# Define the variable with a trailing invalid UTF-8 byte (0xff)
export LD_PRELOAD=$'/tmp/lib.so\xff'
 
# Query the environment using GNU printenv
gnu-printenv LD_PRELOAD | od -An -tx1
# Output: 2f 74 6d 70 2f 6c 69 62 2e 73 6f ff 0a
 
# Query the environment using vulnerable uutils printenv
uutils-printenv LD_PRELOAD
# Output: (No output is returned, exits with error status 1)

Because the vulnerable utility fails to print the variable, security scripts checking LD_PRELOAD or LD_LIBRARY_PATH will fail to detect the injection, leaving the system administrator unaware of the loaded library.

Impact Assessment

The security impact of CVE-2026-35366 is classified as local defense evasion. The vulnerability does not directly permit privilege escalation or remote code execution. Instead, it allows an attacker who already has local execution access to mask the presence of malicious runtime configurations.

The CVSS v3.1 base score of 4.4 reflects this limitation (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). The vulnerability exhibits low attack complexity and requires low privileges. It impacts confidentiality and integrity at a low level because it hides critical audit information.

In enterprise environments, automation tools and security orchestration agents frequently inspect the environments of running containers or user sessions to detect compromise. If these agents rely on a vulnerable version of uutils/printenv, they can be easily blinded by an attacker adding invalid UTF-8 sequences to malicious configurations, rendering automated compliance checks ineffective.

Remediation and Mitigation

The primary remediation for this vulnerability is upgrading uutils coreutils to version 0.6.0 or higher. Package maintainers and system administrators should verify their installations and replace vulnerable binaries.

In environments where immediate binary updates are not feasible, administrators should audit process environments by directly reading from the kernel space. The /proc filesystem on Linux maintains the raw, unfiltered environment block of every process:

# Inspect the raw environment block of a specific PID
cat /proc/[PID]/environ | tr '\0' '\n'

This workaround accesses the environment data directly from the kernel, ensuring that no application-layer UTF-8 filtering takes place. Developers building system utilities in Rust must learn from this vulnerability: always preserve native raw OS types (OsStr/OsString) when handling paths, arguments, and environment variables, and avoid premature conversion to standard String representations.

Official Patches

uutilsGitHub Pull Request #9728: printenv: fix printenv with invalid utf8 variables

Fix Analysis (1)

Technical Appendix

CVSS Score
4.4/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Systems

POSIX-compliant systems using uutils coreutils printenv prior to version 0.6.0Security auditing tools relying on uutils coreutils printenv outputs

Affected Versions Detail

Product
Affected Versions
Fixed Version
coreutils
uutils
< 0.6.00.6.0
AttributeDetail
CWE IDCWE-754
Attack VectorLocal
CVSS v3.1 Score4.4
EPSS Score0.0017 (0.17%)
ImpactDefense Evasion / Inspection Bypass
Exploit StatusProof-of-Concept Available
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1564Hide Artifacts
Defense Evasion
CWE-754
Improper Check for Unusual or Exceptional Conditions

The software does not check or incorrectly handles conditions that are rare, unexpected, or outside standard operational assumptions.

References & Sources

  • [1]uutils coreutils Issue #9701: printenv skips environment variables with invalid UTF-8
  • [2]uutils coreutils Release 0.6.0
  • [3]CVE-2026-35366 Record
  • [4]NVD Advisory for CVE-2026-35366

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•5 minutes ago•CVE-2026-35381
3.3

CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility

A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.

Alon Barad
Alon Barad
2 views•7 min read
•about 1 hour ago•CVE-2026-55792
6.0

CVE-2026-55792: Sensitive File Disclosure in Craft CMS via Twig Sandbox Bypass

CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 2 hours ago•GHSA-X76W-8C62-48MG
4.3

GHSA-X76W-8C62-48MG: Missing Authorization in Craft CMS AssetsController Leads to Private Asset Disclosure

An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.

Alon Barad
Alon Barad
3 views•6 min read
•about 3 hours ago•CVE-2026-35371
3.3

CVE-2026-35371: Logical Identity Spoofing in uutils coreutils id Utility

CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.

Alon Barad
Alon Barad
5 views•9 min read
•about 3 hours ago•CVE-2026-35339
5.5

CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution

CVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.

Alon Barad
Alon Barad
6 views•7 min read
•about 5 hours ago•CVE-2026-35338
7.3

CVE-2026-35338: Path Validation Bypass in uutils/coreutils chmod --preserve-root Option

A path validation bypass vulnerability exists in the chmod utility of uutils/coreutils before version 0.6.0. The '--preserve-root' safety mechanism relies on a literal string comparison, allowing local users to bypass root directory protection via unnormalized paths (such as '/../' or symbolic links) and recursively alter system-wide permissions.

Alon Barad
Alon Barad
6 views•6 min read