Gnu Inetutils vulnerabilities

CVE-2026-32772 [LOW] CWE-669 CVE-2026-32772: telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clie telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.

CVE-2026-32746 [CRITICAL] CWE-120 CVE-2026-32746: telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Ch telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.

CVE-2026-28372 [HIGH] CWE-829 CVE-2026-28372: telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing sy telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth

CVE-2026-24061 [CRITICAL] CWE-88 CVE-2026-24061: telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

CVE-2023-40303 [HIGH] CWE-252 CVE-2023-40303: GNU inetutils before 2.5 may allow privilege escalation because of unchecked return values of set*id GNU inetutils before 2.5 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the setuid system call fails when a process is trying to drop privileges before letting an ordinary user control the activities of the process.

CVE-2022-39028 [HIGH] CWE-476 CVE-2022-39028: telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL p telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval,

CVE-2021-40491 [MEDIUM] CVE-2021-40491: The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV respons The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.

CVE-2011-4862 [CRITICAL] CWE-120 CVE-2011-4862: Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.