CVE-2026-24061

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc Patch
https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b Patch
https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html Mitigation Vendor Advisory
https://www.gnu.org/software/inetutils/ Product
https://www.openwall.com/lists/oss-security/2026/01/20/2 Mailing List
https://www.openwall.com/lists/oss-security/2026/01/20/8 Mailing List
https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package Mitigation Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/01/22/1 Mailing List
https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html Mailing List Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061 US Government Resource
https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html Exploit Third Party Advisory
https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER=' Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:inetutils:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

11 Feb 2026, 15:40

Type Values Removed Values Added
References () https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package - () https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package - Third Party Advisory
References () https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package - () https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package - Mitigation, Third Party Advisory

10 Feb 2026, 18:16

Type Values Removed Values Added
References
  • () https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package -
  • () https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package -

30 Jan 2026, 13:28

Type Values Removed Values Added
References () https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc - () https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc - Patch
References () https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b - () https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b - Patch
References () https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html - () https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html - Mitigation, Vendor Advisory

29 Jan 2026, 19:16

Type Values Removed Values Added
References
  • () https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc -
  • () https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b -
  • () https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html -

27 Jan 2026, 16:17

Type Values Removed Values Added
CPE cpe:2.3:a:gnu:inetutils:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
References () https://www.gnu.org/software/inetutils/ - () https://www.gnu.org/software/inetutils/ - Product
References () https://www.openwall.com/lists/oss-security/2026/01/20/2 - () https://www.openwall.com/lists/oss-security/2026/01/20/2 - Mailing List
References () https://www.openwall.com/lists/oss-security/2026/01/20/8 - () https://www.openwall.com/lists/oss-security/2026/01/20/8 - Mailing List
References () http://www.openwall.com/lists/oss-security/2026/01/22/1 - () http://www.openwall.com/lists/oss-security/2026/01/22/1 - Mailing List
References () https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html - () https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html - Mailing List, Third Party Advisory
References () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061 - () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061 - US Government Resource
References () https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html - () https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html - Exploit, Third Party Advisory
References () https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER=' - () https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER=' - Mailing List, Third Party Advisory
First Time Debian debian Linux
Gnu
Debian
Gnu inetutils

26 Jan 2026, 21:15

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061 -
  • () https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html -

25 Jan 2026, 01:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html -

22 Jan 2026, 21:15

Type Values Removed Values Added
References
  • () https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER=' -

22 Jan 2026, 20:16

Type Values Removed Values Added
Summary
  • (es) telnetd en GNU Inetutils a través de 2.7 permite la omisión de autenticación remota a través de un valor '-f root' para la variable de entorno USER.
References
  • () http://www.openwall.com/lists/oss-security/2026/01/22/1 -

21 Jan 2026, 07:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-21 07:16

Updated : 2026-02-11 15:40

NVD link : CVE-2026-24061

Mitre link : CVE-2026-24061

CVE.ORG link : CVE-2026-24061

JSON object : View

Products Affected

debian

  • debian_linux

gnu

  • inetutils
CWE
CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')