CVE-2026-35377

Name of the Vulnerable Software and Affected Versions uutils coreutils (affected versions not specified)

Description A logic error in the env utility causes a failure to correctly parse command-line arguments when using the '-S' (split-string) option. The implementation incorrectly validates backslash sequences within single quotes, leading to an "invalid sequence" error and process termination with an exit status of 125 when encountering valid sequences such as a or x. This behavior differs from GNU env, where such sequences are treated literally, resulting in a local denial of service for automated scripts and administrative workflows.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.