Description
A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.
Published: 2026-04-22
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Local Denial of Service
Action: Update
AI Analysis

Impact

A logic error in the env utility of uutils coreutils causes the split-string option to misinterpret backslashes. While GNU env treats backslashes within single quotes literally, uutils tries to validate these sequences and produces an "invalid sequence" error, terminating the process with exit status 125 when it encounters valid but unrecognized sequences such as \a or \x. This incompatibility disrupts automated scripts and administrative workflows that rely on standard split-string semantics, thereby creating a local denial of service for operations that invoke this option.

Affected Systems

The affected product is the env utility within Uutils:coreutils. Any version of uutils coreutils containing the buggy env implementation is susceptible; the exact affected versions are not specified in the advisory.

Risk and Exploitability

The CVSS score of 3.3 indicates a low severity vulnerability. No EPSS score is available and the issue is not listed in CISA KEV, suggesting a low likelihood of widespread exploitation. The attack vector is local, requiring the attacker to execute the env command with the split-string option on an affected system. As the vulnerability only causes a process termination, its impact is limited to service disruption of the specific task using this utility and does not expose sensitive data or allow further privilege escalation.

Generated by OpenCVE AI on April 27, 2026 at 08:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uutils coreutils to the latest release that includes the fixed env implementation.
  • Avoid using the -S option with backslashes in scripts that rely on env; instead, escape characters explicitly or rewrite the command to bypass split-string processing.
  • If an update is unavailable, temporarily replace the uutils env utility with GNU coreutils env, which correctly handles backslashes and maintains expected behavior.

Generated by OpenCVE AI on April 27, 2026 at 08:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5v4g-vw9x-h534 uutils coreutils has an Improper Input Validation Issue in its env Utility
History

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
CPEs cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.
Title uutils coreutils env Local Denial of Service via Improper Handling of Backslashes in Split-String Mode
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:01:09.526Z

Reserved: 2026-04-02T12:58:56.089Z

Link: CVE-2026-35377

cve-icon Vulnrichment

Updated: 2026-04-22T17:01:00.614Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:42.577

Modified: 2026-04-24T19:06:46.293

Link: CVE-2026-35377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:53:26Z

Weaknesses