VDB
KO
MEDIUM 4.4

GHSA-p7h3-7q52-72w8

printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection)

Details

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected.

--- _Zellic finding 3.66. Reported in the Zellic *uutils coreutils Program Security Assessment* (for Canonical, Jan 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`._

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / uu_printenv
Introduced in: 0 Fixed in: 0.6.0

Upgrade uu_printenv to 0.6.0 or newer (ecosystem crates.io).

References