Ghostwire

CVE-2026-35366: The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences....

MEDIUM CVSS 5.5

Published: April 22, 2026 | Last Modified: April 22, 2026

Description

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

Ghostwire Analysis — What This Means Practically

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

CVE-2026-35366: The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences....

Description

Ghostwire Analysis — What This Means Practically

Security Coverage (1 articles)

References