CVE-2026-35377 - Vulnerability Details

- uutils coreutils env Local Denial of Service via Improper Handling of Backslashes in Split-String Mode

Description

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.

Published: 2026-04-22

Score: 3.3 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A logic error in the env utility of uutils coreutils causes the split-string option to misinterpret backslashes. While GNU env treats backslashes within single quotes literally, uutils tries to validate these sequences and produces an "invalid sequence" error, terminating the process with exit status 125 when it encounters valid but unrecognized sequences such as \a or \x. This incompatibility disrupts automated scripts and administrative workflows that rely on standard split-string semantics, thereby creating a local denial of service for operations that invoke this option.

Affected Systems

The affected product is the env utility within Uutils:coreutils. Any version of uutils coreutils containing the buggy env implementation is susceptible; the exact affected versions are not specified in the advisory.

Risk and Exploitability

The CVSS score of 3.3 indicates a low severity vulnerability. No EPSS score is available and the issue is not listed in CISA KEV, suggesting a low likelihood of widespread exploitation. The attack vector is local, requiring the attacker to execute the env command with the split-string option on an affected system. As the vulnerability only causes a process termination, its impact is limited to service disruption of the specific task using this utility and does not expose sensitive data or allow further privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Uutils	coreutils	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade uutils coreutils to the latest release that includes the fixed env implementation.
Avoid using the -S option with backslashes in scripts that rely on env; instead, escape characters explicitly or rewrite the command to bypass split-string processing.
If an update is unavailable, temporarily replace the uutils env utility with GNU coreutils env, which correctly handles backslashes and maintains expected behavior.

Generated by OpenCVE AI on April 22, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/11512

History

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.
Title		uutils coreutils env Local Denial of Service via Improper Handling of Backslashes in Split-String Mode
Weaknesses		CWE-20
References		https://github.com/uutils/coreutils/pull/11512
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:09:12.220Z

Updated: 2026-04-22T17:01:09.526Z

Reserved: 2026-04-02T12:58:56.089Z

Link: CVE-2026-35377

Vulnrichment

Updated: 2026-04-22T17:01:00.614Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:42.577

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35377

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object