DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28372: CVE-2026-28372: Local Privilege Escalation in GNU Inetutils telnetd

#security #cve #cybersecurity

CVE-2026-28372: Local Privilege Escalation in GNU Inetutils telnetd

Vulnerability ID: CVE-2026-28372
CVSS Score: 7.4
Published: 2026-02-27

A critical privilege escalation vulnerability exists in GNU Inetutils telnetd versions through 2.7. The daemon fails to properly sanitize the environment before executing the login process, allowing attackers to inject dangerous environment variables. Because telnetd executes /bin/login as root without triggering the kernel's AT_SECURE protection, these variables are preserved. This allows local attackers—and potentially remote attackers depending on configuration—to gain root privileges by manipulating systemd credentials or glibc character set conversion paths.

TL;DR

GNU telnetd fails to scrub environment variables when spawning /bin/login as root. This allows attackers to inject CREDENTIALS_DIRECTORY (bypassing authentication in util-linux 2.40+) or GCONV_PATH (loading malicious shared objects via glibc). The vulnerability leads to immediate root compromise.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-829
  • Attack Vector: Local / Network (if allowed)
  • CVSS v3.1: 7.4 (High)
  • EPSS Score: 0.01% (Low probability)
  • Impact: Privilege Escalation (Root)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • GNU Inetutils telnetd <= 2.7
  • Linux systems running telnetd with util-linux >= 2.40 (for Vector 1)
  • Linux systems running telnetd with glibc (for Vector 2)
  • inetutils: <= 2.7 (Fixed in: 2.8)

Code Analysis

Commit: 3953943

telnetd: Fix environment sanitization by switching to whitelist

No diff available in context
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Proof of Concept exploit script for telnetd LPE

Mitigation Strategies

  • Replace Telnet with SSH (OpenSSH)
  • Apply vendor patches immediately
  • Implement strict SELinux/AppArmor profiles for legacy daemons

Remediation Steps:

  1. Identify systems running inetutils-telnetd.
  2. Stop the telnet daemon: systemctl stop telnet.socket.
  3. Update inetutils packages: apt-get update && apt-get install inetutils-telnetd (ensure version >= 2.8).
  4. Verify the patch by checking if ENVIRON passing of CREDENTIALS_DIRECTORY is blocked.

References

Read the full report for CVE-2026-28372 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)