CVE-2026-35366: The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences.
mediumvulnerability
security
Summary
A bug in uutils coreutils (a set of basic Unix utilities) causes the printenv tool to silently skip environment variables (settings that programs use) containing invalid UTF-8 byte sequences (non-standard character encodings), rather than displaying them. This allows attackers to hide malicious environment variables like LD_PRELOAD (which can inject libraries into programs) from administrators and security tools that rely on printenv to inspect the system.
Vulnerability Details
CVSS Score
4.4(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
local
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
April 22, 2026
Classification
Attack SophisticationModerate
Taxonomy References
CWE (Weakness Type)
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-35366
First tracked: April 22, 2026 at 02:08 PM
Classified by LLM (prompt v3) · confidence: 95%