CVE-2026-28372

CWE-8296 documents6 sources

Severity

7.8HIGH

EPSS

0.0%

top 99.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Inetutils

Timeline

PublishedFeb 27

Description

telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 1.4 | Impact: 5.9

Affected Packages3 packages

▶Debianinetutils< 2:2.4-2+deb12u3+2

▶CVEListV5gnu/inetutils2.7

▶NVDgnu/inetutils2.7

Patches

Patch: git.hadrons.org ↗

🔴Vulnerability Details

OSV

CVE-2026-28372: telnetd in GNU inetutils through 2↗2026-02-27

▶

GHSA

GHSA-j682-47rx-fxrp: telnetd in GNU inetutils through 2↗2026-02-27

▶

CVEList

CVE-2026-28372: telnetd in GNU inetutils through 2↗2026-02-27

▶

📋Vendor Advisories

Debian

CVE-2026-28372: inetutils - telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exp...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28372 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶