Threat Advisory

uu_printenv Vulnerability Allows Hidden Environment Variables Exploit

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-35366 with a CVSS score of 4.4 is a medium‑severity flaw in the rust/uu_printenv utility of the uutils coreutils package affecting all versions prior to 0.6.0, where the tool silently omits environment variables that contain invalid UTF‑8 byte sequences instead of displaying the raw bytes. In practice, an attacker who can set a local environment variable—such as through a compromised script, a misconfigured service, or a user‑controlled process—can craft a malicious entry (for example, an LD_PRELOAD value with non‑UTF‑8 bytes) that printenv will skip, allowing the variable to evade standard inspection and logging mechanisms. The attack vector is local, requires only low privileges, and does not need user interaction, meaning any user with limited access to the host can inject the crafted variable. By bypassing visibility checks, the adversary can achieve stealthy library injection or other environment‑based attacks, potentially escalating privileges, exfiltrating data, or compromising application integrity. Exploitation hinges on the presence of the vulnerable printenv version and the ability to set environment variables on the target system; without these conditions, the vulnerability cannot be leveraged.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-35366 with a CVSS score of 4.4 is a medium‑severity flaw in the rust/uu_printenv utility of the uutils coreutils package affecting all versions prior to 0.6.0, where the tool silently omits environment variables that contain invalid UTF‑8 byte sequences instead of displaying the raw bytes. In practice, an attacker who can set a local environment variable—such as through a compromised script, a misconfigured service, or a user‑controlled process—can craft a malicious entry (for example, an LD_PRELOAD value with non‑UTF‑8 bytes) that printenv will skip, allowing the variable to evade standard inspection and logging mechanisms. The attack vector is local, requires only low privileges, and does not need user interaction, meaning any user with limited access to the host can inject the crafted variable. By bypassing visibility checks, the adversary can achieve stealthy library injection or other environment‑based attacks, potentially escalating privileges, exfiltrating data, or compromising application integrity. Exploitation hinges on the presence of the vulnerable printenv version and the ability to set environment variables on the target system; without these conditions, the vulnerability cannot be leveraged.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update rust/uu_printenv to version 0.6.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-p7h3-7q52-72w8

[/emaillocker]
crossmenu