Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xyy7-7fby-4kgn
Vulnerability ID VCID-xyy7-7fby-4kgn
Aliases CVE-2026-35377
GHSA-5v4g-vw9x-h534
Summary A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.
Status Published
Exploitability 0.5
Weighted Severity 3.0
Risk 1.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-20 Improper Input Validation
System Score Found at
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2026-35377
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2026-35377
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2026-35377
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2026-35377
cvssv3.1_qr LOW https://github.com/advisories/GHSA-5v4g-vw9x-h534
cvssv3.1 3.3 https://github.com/uutils/coreutils
generic_textual LOW https://github.com/uutils/coreutils
cvssv3.1 3.3 https://github.com/uutils/coreutils/pull/11512
generic_textual LOW https://github.com/uutils/coreutils/pull/11512
ssvc Track https://github.com/uutils/coreutils/pull/11512
cvssv3.1 3.3 https://nvd.nist.gov/vuln/detail/CVE-2026-35377
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2026-35377
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-35377
https://github.com/uutils/coreutils
https://nvd.nist.gov/vuln/detail/CVE-2026-35377
1136207 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136207
11512 https://github.com/uutils/coreutils/pull/11512
GHSA-5v4g-vw9x-h534 https://github.com/advisories/GHSA-5v4g-vw9x-h534
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/uutils/coreutils
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/uutils/coreutils/pull/11512
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:00:56Z/ Found at https://github.com/uutils/coreutils/pull/11512
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35377
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.04572
EPSS Score 0.00017
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:45:00.865117+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35377.json 38.6.0