CVE-2026-35377: CWE-20: Improper Input Validation in Uutils coreutils
A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.
AI Analysis
Technical Summary
The vulnerability arises from a logic error in uutils coreutils' env utility when parsing command-line arguments with the -S option. Unlike GNU env, which treats backslashes within single quotes literally except for \\ and \' sequences, uutils coreutils attempts to validate these sequences and rejects valid but unrecognized sequences such as \a or \x. This causes an immediate termination of the process with exit status 125, leading to a local denial of service by breaking compatibility with expected GNU env behavior in scripts and workflows.
Potential Impact
The impact is a local denial of service due to process termination when valid escape sequences are encountered in the -S option of env in uutils coreutils. There is no confidentiality or integrity impact. The issue affects automated scripts and administrative workflows that depend on GNU env's split-string parsing behavior, potentially causing failures or interruptions in those operations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider avoiding the use of the -S option with escape sequences that trigger this behavior or use GNU env as an alternative to maintain compatibility.
CVE-2026-35377: CWE-20: Improper Input Validation in Uutils coreutils
Description
A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from a logic error in uutils coreutils' env utility when parsing command-line arguments with the -S option. Unlike GNU env, which treats backslashes within single quotes literally except for \\ and \' sequences, uutils coreutils attempts to validate these sequences and rejects valid but unrecognized sequences such as \a or \x. This causes an immediate termination of the process with exit status 125, leading to a local denial of service by breaking compatibility with expected GNU env behavior in scripts and workflows.
Potential Impact
The impact is a local denial of service due to process termination when valid escape sequences are encountered in the -S option of env in uutils coreutils. There is no confidentiality or integrity impact. The issue affects automated scripts and administrative workflows that depend on GNU env's split-string parsing behavior, potentially causing failures or interruptions in those operations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider avoiding the use of the -S option with escape sequences that trigger this behavior or use GNU env as an alternative to maintain compatibility.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.089Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d519fe3cd2cdd00d9c
Added to database: 4/22/2026, 4:31:17 PM
Last enriched: 4/22/2026, 4:47:14 PM
Last updated: 4/23/2026, 1:09:37 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.