CVE-2026-35377 Overview
A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.
Critical Impact
This Input Validation Error causes automated scripts and administrative workflows that depend on GNU-compatible split-string semantics to fail unexpectedly, resulting in local denial of service for affected operations.
Affected Products
- uutils coreutils (versions with affected env utility implementation)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35377 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35377
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the uutils coreutils implementation of the env utility. The root issue lies in how the -S (split-string) option processes backslash escape sequences within single-quoted strings.
The GNU env utility follows POSIX-like behavior where backslashes inside single quotes are treated literally, with only \\ (escaped backslash) and \' (escaped single quote) being interpreted as special sequences. This allows users to pass arbitrary strings containing backslash characters without modification.
The uutils implementation diverges from this established behavior by implementing stricter validation logic. When the parser encounters escape sequences like \a, \x, or other valid-but-unrecognized character combinations, it incorrectly treats them as invalid sequences rather than passing them through literally as GNU env would.
Root Cause
The root cause is a logic error in the escape sequence validation routine within the uutils env utility's split-string parser. The implementation over-validates backslash sequences inside single quotes, applying escape sequence rules that should only apply in double-quoted contexts or outside of quotes entirely. This breaks the expected behavior where single quotes provide literal string handling.
Attack Vector
This vulnerability requires local access and low privileges to exploit. An attacker or malicious script could craft command-line arguments containing specific escape sequences (such as \a or \x) within single-quoted strings when invoking the env utility with the -S option. This would cause the utility to terminate immediately with exit status 125, disrupting any automated processes or scripts that depend on this functionality.
The impact is limited to availability, as the vulnerability does not allow for code execution or information disclosure. However, in environments where uutils coreutils is deployed as a drop-in replacement for GNU coreutils, this incompatibility can cause silent failures in automation pipelines, cron jobs, and system administration scripts.
The vulnerability mechanism involves the split-string option parsing logic incorrectly rejecting valid escape sequences. When the parser encounters backslash-prefixed characters like \a or \x inside single quotes, it throws an "invalid sequence" error instead of treating the backslash literally as GNU env does. For detailed technical information, see the GitHub Pull Request #11512.
Detection Methods for CVE-2026-35377
Indicators of Compromise
- Scripts or cron jobs using env -S options failing with exit code 125
- Error messages containing "invalid sequence" when running env with split-string arguments
- Automated workflows unexpectedly terminating when processing command strings with backslash characters
Detection Strategies
- Monitor system logs for env utility failures with exit status 125
- Review automation scripts that use env -S for potential exposure to this parsing issue
- Compare behavior of scripts between GNU coreutils and uutils coreutils environments
Monitoring Recommendations
- Set up alerting for unexpected exit codes in critical automation pipelines
- Audit environments where uutils coreutils is deployed as a GNU coreutils replacement
- Implement regression testing for scripts that utilize the env -S split-string functionality
How to Mitigate CVE-2026-35377
Immediate Actions Required
- Identify systems running uutils coreutils with the affected env utility
- Review automation scripts and cron jobs for use of env -S with escape sequences
- Consider temporarily switching to GNU coreutils for affected workflows until a patch is applied
Patch Information
A fix for this issue has been proposed via GitHub Pull Request #11512. Users should monitor this pull request for merge status and update their uutils coreutils installation once the fix is released.
Workarounds
- Avoid using escape sequences like \a or \x within single-quoted strings when using env -S on uutils
- Pre-process command strings to remove or escape problematic backslash sequences before passing to env
- Use GNU coreutils env for scripts that require full GNU-compatible split-string behavior
# Workaround: Use alternative quoting or escaping
# Instead of: env -S 'VAR=\a'
# Use double quotes with proper escaping or avoid problematic sequences
env VAR='\\a' command
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
