VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-rkja-wb14-m3hw

Essentials
Severities (19)
References (8)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-rkja-wb14-m3hw
Aliases	CVE-2026-35366 GHSA-7259-cwhx-3xx3
Summary	The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-754

Improper Check for Unusual or Exceptional Conditions

System	Score	Found at
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-35366
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-35366
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-35366
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-7259-cwhx-3xx3
cvssv3.1	4.4	https://github.com/uutils/coreutils
generic_textual	MODERATE	https://github.com/uutils/coreutils
cvssv3.1	4.4	https://github.com/uutils/coreutils/commit/0bfbbc00c7895c0fb6ea94987b4aab99e3d7ee52
generic_textual	MODERATE	https://github.com/uutils/coreutils/commit/0bfbbc00c7895c0fb6ea94987b4aab99e3d7ee52
cvssv3.1	4.4	https://github.com/uutils/coreutils/issues/9701
generic_textual	MODERATE	https://github.com/uutils/coreutils/issues/9701
ssvc	Track	https://github.com/uutils/coreutils/issues/9701
cvssv3.1	4.4	https://github.com/uutils/coreutils/pull/9728
generic_textual	MODERATE	https://github.com/uutils/coreutils/pull/9728
ssvc	Track	https://github.com/uutils/coreutils/pull/9728
cvssv3.1	4.4	https://github.com/uutils/coreutils/releases/tag/0.6.0
generic_textual	MODERATE	https://github.com/uutils/coreutils/releases/tag/0.6.0
ssvc	Track	https://github.com/uutils/coreutils/releases/tag/0.6.0
cvssv3.1	4.4	https://nvd.nist.gov/vuln/detail/CVE-2026-35366
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-35366

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-35366
		https://github.com/uutils/coreutils
		https://github.com/uutils/coreutils/commit/0bfbbc00c7895c0fb6ea94987b4aab99e3d7ee52
		https://nvd.nist.gov/vuln/detail/CVE-2026-35366
0.6.0		https://github.com/uutils/coreutils/releases/tag/0.6.0
9701		https://github.com/uutils/coreutils/issues/9701
9728		https://github.com/uutils/coreutils/pull/9728
GHSA-7259-cwhx-3xx3		https://github.com/advisories/GHSA-7259-cwhx-3xx3

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/uutils/coreutils

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/uutils/coreutils/commit/0bfbbc00c7895c0fb6ea94987b4aab99e3d7ee52

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/uutils/coreutils/issues/9701

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:50:05Z/ Found at https://github.com/uutils/coreutils/issues/9701

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/uutils/coreutils/pull/9728

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:50:05Z/ Found at https://github.com/uutils/coreutils/pull/9728

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/uutils/coreutils/releases/tag/0.6.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:50:05Z/ Found at https://github.com/uutils/coreutils/releases/tag/0.6.0

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35366

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.0234
EPSS Score	0.00013
Published At	June 14, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:44:55.388220+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35366.json	38.6.0