Jul 6, 2026·6 min read·4 visits
Prior to version 0.6.0, the Rust implementation of printenv silently filters out environment variables that contain invalid UTF-8 byte sequences, allowing attackers to hide malicious environmental settings from security audits.
A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.
The printenv utility in system administration serves as a standard tool for displaying and auditing the current environment variables of a process. In uutils coreutils—a cross-platform rewrite of GNU coreutils in Rust—this utility is used as a drop-in replacement for the traditional C-based implementation. Because environment variables dictate binary execution behavior, library loading paths, and application configurations, their accurate reporting is crucial for system security monitoring.
On POSIX-compliant operating systems, environment variables are treated as raw, null-terminated byte sequences. However, Rust's standard library enforces strict UTF-8 validation on its default string types. Prior to version 0.6.0, uutils printenv relied on high-level Rust environment APIs that silently discarded any variables containing non-UTF-8 byte sequences.
This behavior exposes a security-relevant semantic gap. A malicious user can define active environment variables containing invalid UTF-8 sequences (such as a library hook inside LD_PRELOAD followed by an invalid byte). While the operating system and system dynamic linkers successfully parse and execute these variables, uutils printenv fails to report them, leading to a complete bypass of security inspection.
The root cause of CVE-2026-35366 lies in the application-layer handling of platform-native environment blocks. Under the POSIX standard, the global process environment is defined as an array of character pointers (extern char **environ). The kernel and runtime libraries process these pointers as raw byte arrays, requiring only that keys and values are separated by the = character and terminated by a null byte (\0). No character encoding constraints are enforced.
Conversely, the Rust language prioritizes memory safety and type correctness by requiring that the String and str primitives always contain valid UTF-8 sequences. To maintain this guarantee, the standard library functions std::env::vars() and std::env::var() parse the raw system environment and silently skip any variable name or value that fails UTF-8 validation. This behavior prevents application crashes but introduces a silent filtering mechanism.
When uutils printenv utilized these high-level APIs, it inherited this filtering behavior. If an environment block contains a variable such as LD_PRELOAD=/tmp/malicious.so\xff, the vars() iterator silently drops the entire key-value pair. Consequently, the utility exits with a success status but leaves security administrators blind to active runtime configurations that influence dynamic linker behavior.
The vulnerable implementation of printenv in src/uu/printenv/src/printenv.rs relied on std::env::vars() to retrieve all environment variables, and std::env::var() to fetch specific variables.
// Vulnerable Code Path (Pre-0.6.0)
if variables.is_empty() {
// std::env::vars() silently filters out non-UTF-8 pairs
for (env_var, value) in env::vars() {
print!("{env_var}={value}{separator}");
}
return Ok(());
} else {
for env_var in &variables {
// std::env::var() returns Err(VarError::NotUnicode) for non-UTF-8 keys/values
if let Ok(var) = env::var(env_var) {
print!("{var}{separator}");
} else {
error_found = true;
}
}
}The patch in commit 0bfbbc00c7895c0fb6ea94987b4aab99e3d7ee52 resolved this issue by refactoring the module to use the OS-native APIs std::env::vars_os() and std::env::var_os(). These functions return OsString values, preserving raw byte sequences on Unix platforms without requiring UTF-8 conformity.
// Patched Code Path (0.6.0)
if variables.is_empty() {
// env::vars_os() preserves raw OS-native bytes
for (env_var, value) in env::vars_os() {
let env_bytes = os_str_as_bytes(&env_var)?;
let val_bytes = os_str_as_bytes(&value)?;
// Directly write raw bytes to stdout to bypass UTF-8 formatting boundaries
std::io::stdout().lock().write_all(env_bytes)?;
print!("=");
std::io::stdout().lock().write_all(val_bytes)?;
print!("{separator}");
}
return Ok(());
} else {
for env_var in &variables {
if let Some(var) = env::var_os(env_var) {
let val_bytes = os_str_as_bytes(&var)?;
std::io::stdout().lock().write_all(val_bytes)?;
print!("{separator}");
} else {
error_found = true;
}
}
}This implementation uses uucore::os_str_as_bytes to retrieve raw slices. By directly writing these byte slices to stdout via write_all(), the patched utility guarantees that non-UTF-8 variables are rendered in their raw state, matching the behavior of GNU printenv.
To exploit this vulnerability, an attacker must have local execution access to a target system where uutils printenv is utilized as part of security auditing or logging processes. The primary objective is to inject a variable that alters process execution flow while remaining invisible to inspection tools.
An attacker can set a malicious environment variable using non-UTF-8 characters. The Unix dynamic linker (ld.so) processes the environment block as raw bytes, resolving and executing the target payload. The following Mermaid diagram illustrates the execution flow and the inspection bypass:
To replicate this scenario locally on a vulnerable system, execute the following commands:
# Define the variable with a trailing invalid UTF-8 byte (0xff)
export LD_PRELOAD=$'/tmp/lib.so\xff'
# Query the environment using GNU printenv
gnu-printenv LD_PRELOAD | od -An -tx1
# Output: 2f 74 6d 70 2f 6c 69 62 2e 73 6f ff 0a
# Query the environment using vulnerable uutils printenv
uutils-printenv LD_PRELOAD
# Output: (No output is returned, exits with error status 1)Because the vulnerable utility fails to print the variable, security scripts checking LD_PRELOAD or LD_LIBRARY_PATH will fail to detect the injection, leaving the system administrator unaware of the loaded library.
The security impact of CVE-2026-35366 is classified as local defense evasion. The vulnerability does not directly permit privilege escalation or remote code execution. Instead, it allows an attacker who already has local execution access to mask the presence of malicious runtime configurations.
The CVSS v3.1 base score of 4.4 reflects this limitation (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). The vulnerability exhibits low attack complexity and requires low privileges. It impacts confidentiality and integrity at a low level because it hides critical audit information.
In enterprise environments, automation tools and security orchestration agents frequently inspect the environments of running containers or user sessions to detect compromise. If these agents rely on a vulnerable version of uutils/printenv, they can be easily blinded by an attacker adding invalid UTF-8 sequences to malicious configurations, rendering automated compliance checks ineffective.
The primary remediation for this vulnerability is upgrading uutils coreutils to version 0.6.0 or higher. Package maintainers and system administrators should verify their installations and replace vulnerable binaries.
In environments where immediate binary updates are not feasible, administrators should audit process environments by directly reading from the kernel space. The /proc filesystem on Linux maintains the raw, unfiltered environment block of every process:
# Inspect the raw environment block of a specific PID
cat /proc/[PID]/environ | tr '\0' '\n'This workaround accesses the environment data directly from the kernel, ensuring that no application-layer UTF-8 filtering takes place. Developers building system utilities in Rust must learn from this vulnerability: always preserve native raw OS types (OsStr/OsString) when handling paths, arguments, and environment variables, and avoid premature conversion to standard String representations.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
coreutils uutils | < 0.6.0 | 0.6.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-754 |
| Attack Vector | Local |
| CVSS v3.1 Score | 4.4 |
| EPSS Score | 0.0017 (0.17%) |
| Impact | Defense Evasion / Inspection Bypass |
| Exploit Status | Proof-of-Concept Available |
| KEV Status | Not Listed |
The software does not check or incorrectly handles conditions that are rare, unexpected, or outside standard operational assumptions.
A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.
CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.
An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.
CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.
CVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.
A path validation bypass vulnerability exists in the chmod utility of uutils/coreutils before version 0.6.0. The '--preserve-root' safety mechanism relies on a literal string comparison, allowing local users to bypass root directory protection via unnormalized paths (such as '/../' or symbolic links) and recursively alter system-wide permissions.