CVE-2026-28372

telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.

References

Affected packages

Git / git.hadrons.org/cgit/debian/pkgs/inetutils.git

Affected ranges

Type: GIT
Repo: https://git.hadrons.org/cgit/debian/pkgs/inetutils.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3953943d8296310485f98963883a798545ab9a6c

Affected versions

1.*

1.4.2+20030703-1

1.4.2+20030703-7

1.4.2+20030703-8

1.4.2+20031022-1

1.4.2+20040207-1

1.4.2+20040207-2

1.4.2+20040207-3

1.4.2+20040207-4

1.4.2+20040207-5

1.4.2+20040207-6

1.4.3+20051212-1

1.4.3+20051212-2

1.4.3+20051212-3

1.4.3+20051212-4

1.4.3+20060719-1

1.4.3+20060719-2

1.4.3+20060719-3

1.5.dfsg.1-1

1.5.dfsg.1-2

1.5.dfsg.1-3

1.5.dfsg.1-4

1.5.dfsg.1-5

1.5.dfsg.1-6

1.5.dfsg.1-7

1.5.dfsg.1-8

1.5.dfsg.1-9

1.6-1

1.6-2

1.6-3

1.8-1

1.8-2

1.8-3

1.8-4

1.8-5

1.8-6

1.9-1

1.9-2

1.9.1.282-e8541-1

1.9.1.306-0a482-1

1.9.1.363-bbc1-1

1.9.2-1

1.9.2.39.3a460-1

1.9.2.39.3a460-2

1.9.2.39.3a460-3

1.9.3-1

1.9.3-2

1.9.4-1

1.9.4-10

1.9.4-11

1.9.4-12

1.9.4-13

1.9.4-2

1.9.4-3

1.9.4-4

1.9.4-5

1.9.4-6

1.9.4-7

1.9.4-8

1.9.4-9

1.9.4.90-1

1.9.4.91-1

2.*

2.0-1

2.1-1

2.1-2

2.2-1

2.2-2

2.3-1

2.3-2

2.3-3

2.3-4

2.3-5

2.3-6

2.4-1

2.4-2

2.4-3

2.5-1

2.5-2

2.5-3

2.5-4

2.5-5

2.5-6

2.6-1

2.6-2

2.6-3

2.6-4

2.7-1

2.7-2

Other

20030701-1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28372.json"