CVE-2026-28372 HIGH

CVE-2026-28372

Vendor Gnu
Product inetutils
Weakness CWE-829 · Inclusion from untrusted sphere
Published February 27, 2026
Last update March 7, 2026

CVSS base score

7.4/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 7, 2026 Record updated