Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35377

CVE-2026-35377: uutils coreutils env Utility DoS Flaw

CVE-2026-35377 is a denial of service flaw in the uutils coreutils env utility caused by incorrect parsing of command-line arguments with the -S option. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-35377 Overview

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.

Critical Impact

This Input Validation Error causes automated scripts and administrative workflows that depend on GNU-compatible split-string semantics to fail unexpectedly, resulting in local denial of service for affected operations.

Affected Products

  • uutils coreutils (versions with affected env utility implementation)

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-35377 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35377

Vulnerability Analysis

This vulnerability stems from improper input validation (CWE-20) in the uutils coreutils implementation of the env utility. The root issue lies in how the -S (split-string) option processes backslash escape sequences within single-quoted strings.

The GNU env utility follows POSIX-like behavior where backslashes inside single quotes are treated literally, with only \\ (escaped backslash) and \' (escaped single quote) being interpreted as special sequences. This allows users to pass arbitrary strings containing backslash characters without modification.

The uutils implementation diverges from this established behavior by implementing stricter validation logic. When the parser encounters escape sequences like \a, \x, or other valid-but-unrecognized character combinations, it incorrectly treats them as invalid sequences rather than passing them through literally as GNU env would.

Root Cause

The root cause is a logic error in the escape sequence validation routine within the uutils env utility's split-string parser. The implementation over-validates backslash sequences inside single quotes, applying escape sequence rules that should only apply in double-quoted contexts or outside of quotes entirely. This breaks the expected behavior where single quotes provide literal string handling.

Attack Vector

This vulnerability requires local access and low privileges to exploit. An attacker or malicious script could craft command-line arguments containing specific escape sequences (such as \a or \x) within single-quoted strings when invoking the env utility with the -S option. This would cause the utility to terminate immediately with exit status 125, disrupting any automated processes or scripts that depend on this functionality.

The impact is limited to availability, as the vulnerability does not allow for code execution or information disclosure. However, in environments where uutils coreutils is deployed as a drop-in replacement for GNU coreutils, this incompatibility can cause silent failures in automation pipelines, cron jobs, and system administration scripts.

The vulnerability mechanism involves the split-string option parsing logic incorrectly rejecting valid escape sequences. When the parser encounters backslash-prefixed characters like \a or \x inside single quotes, it throws an "invalid sequence" error instead of treating the backslash literally as GNU env does. For detailed technical information, see the GitHub Pull Request #11512.

Detection Methods for CVE-2026-35377

Indicators of Compromise

  • Scripts or cron jobs using env -S options failing with exit code 125
  • Error messages containing "invalid sequence" when running env with split-string arguments
  • Automated workflows unexpectedly terminating when processing command strings with backslash characters

Detection Strategies

  • Monitor system logs for env utility failures with exit status 125
  • Review automation scripts that use env -S for potential exposure to this parsing issue
  • Compare behavior of scripts between GNU coreutils and uutils coreutils environments

Monitoring Recommendations

  • Set up alerting for unexpected exit codes in critical automation pipelines
  • Audit environments where uutils coreutils is deployed as a GNU coreutils replacement
  • Implement regression testing for scripts that utilize the env -S split-string functionality

How to Mitigate CVE-2026-35377

Immediate Actions Required

  • Identify systems running uutils coreutils with the affected env utility
  • Review automation scripts and cron jobs for use of env -S with escape sequences
  • Consider temporarily switching to GNU coreutils for affected workflows until a patch is applied

Patch Information

A fix for this issue has been proposed via GitHub Pull Request #11512. Users should monitor this pull request for merge status and update their uutils coreutils installation once the fix is released.

Workarounds

  • Avoid using escape sequences like \a or \x within single-quoted strings when using env -S on uutils
  • Pre-process command strings to remove or escape problematic backslash sequences before passing to env
  • Use GNU coreutils env for scripts that require full GNU-compatible split-string behavior
bash
# Workaround: Use alternative quoting or escaping
# Instead of: env -S 'VAR=\a'
# Use double quotes with proper escaping or avoid problematic sequences
env VAR='\\a' command

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.