CVE-2026-35366 Overview
The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.
Critical Impact
Malicious environment variables with invalid UTF-8 sequences can evade security auditing tools, enabling undetected library injection attacks via LD_PRELOAD or similar environment-based attack vectors.
Affected Products
- uutils coreutils versions prior to 0.6.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35366 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35366
Vulnerability Analysis
This vulnerability is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions). The core issue lies in how uutils coreutils handles environment variables that contain byte sequences not valid in UTF-8 encoding.
POSIX standards explicitly allow environment strings to contain arbitrary byte sequences, including those that are not valid UTF-8. However, the Rust-based uutils implementation of printenv assumes UTF-8 validity when iterating through environment variables. When it encounters an environment variable with invalid UTF-8 bytes, the utility silently skips that entry rather than outputting the raw bytes as expected.
This behavior deviation from traditional GNU coreutils creates a security blind spot. An attacker who sets malicious environment variables (such as LD_PRELOAD for dynamic library injection) using invalid UTF-8 byte sequences can effectively hide these variables from administrators and security tools that rely on printenv for environment inspection.
Root Cause
The root cause stems from Rust's strict UTF-8 string handling. Rust's std::env::vars() iterator only yields environment variables that are valid UTF-8, silently filtering out any variables with non-UTF-8 byte sequences. The printenv implementation relied on this iterator without accounting for the possibility of non-UTF-8 environment variables, causing legitimate POSIX-compliant environment entries to be omitted from output.
Attack Vector
The attack requires local access to the system. An attacker with the ability to set environment variables can craft malicious entries containing invalid UTF-8 byte sequences. These variables will function normally for the operating system and any programs that read them, but will be invisible when administrators use printenv to audit the environment. This is particularly dangerous for security-sensitive variables like:
- LD_PRELOAD - Used for library preloading, commonly exploited for privilege escalation
- LD_LIBRARY_PATH - Affects dynamic linker library search paths
- PATH - Can redirect command execution to malicious binaries
The attacker could embed malicious library paths with non-UTF-8 characters that still resolve correctly at the filesystem level, making the attack invisible to UTF-8-only inspection tools while remaining functional for exploitation.
Detection Methods for CVE-2026-35366
Indicators of Compromise
- Environment variables containing non-printable or unusual byte sequences that are not visible when running printenv but appear when using /proc/[pid]/environ
- Discrepancies between printenv output and actual environment contents revealed through /proc filesystem inspection
- Unexpected LD_PRELOAD or LD_LIBRARY_PATH configurations detected through alternative inspection methods
Detection Strategies
- Compare printenv output against direct reads from /proc/self/environ to identify hidden environment variables
- Implement security tools that read environment variables directly from the kernel rather than relying on printenv
- Deploy file integrity monitoring on system libraries to detect unauthorized preloading
Monitoring Recommendations
- Monitor for processes with unusual environment configurations using process inspection tools that read directly from /proc
- Alert on library preload indicators detected through methods other than printenv
- Implement auditing for environment variable modifications, especially for security-sensitive variables
How to Mitigate CVE-2026-35366
Immediate Actions Required
- Upgrade uutils coreutils to version 0.6.0 or later which addresses this issue
- Use alternative methods such as directly reading /proc/[pid]/environ for security-critical environment auditing
- Review systems for any evidence of environment-based attack techniques that may have exploited this visibility gap
Patch Information
The fix for this vulnerability is available in uutils coreutils version 0.6.0. The patch addresses the issue through changes tracked in Pull Request #9728, which ensures that environment variables with non-UTF-8 byte sequences are properly displayed rather than silently skipped.
For additional technical details about the vulnerability, see GitHub Issue #9701.
Workarounds
- Use GNU coreutils printenv instead of uutils implementation for security auditing purposes, as the traditional implementation properly handles non-UTF-8 environment variables
- Directly read /proc/self/environ or /proc/[pid]/environ for complete environment inspection, which bypasses any user-space filtering
- Implement custom scripts using od or xxd on /proc/*/environ to detect environment variables with non-UTF-8 content
# Configuration example
# Direct environment inspection bypassing printenv
cat /proc/self/environ | tr '\0' '\n'
# Compare printenv output with direct /proc read
diff <(printenv | sort) <(cat /proc/self/environ | tr '\0' '\n' | sort)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
