Privilege Escalation Vulnerability in GNU Inetutils Telnetd
CVE-2026-28372

7.4HIGH

Key Information:

Vendor

Gnu
Status
Inetutils
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28372?

The telnetd component of GNU Inetutils versions prior to 2.7 has a privilege escalation vulnerability that allows unprivileged local users to exploit the systemd service credentials support. By creating a malicious login.noauth file, attackers can manipulate the CREDENTIALS_DIRECTORY environment variable, potentially gaining elevated privileges on the system.

Affected Version(s)

inetutils 0 <= 2.7

References

https://lists.gnu.org/archive/html/bug-inetutils/2026-02/...
https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/co...
https://lists.gnu.org/archive/html/bug-inetutils/2026-02/...

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.