CVE-2026-28372
Published: 27 February 2026
Summary
CVE-2026-28372 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Gnu Inetutils. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28372, published on 2026-02-27, is a privilege escalation vulnerability in telnetd within GNU inetutils through version 2.7. It arises from the abuse of systemd service credentials support added to the login(1) implementation in util-linux release 2.40, specifically due to client control over the CREDENTIALS_DIRECTORY environment variable. Exploitation requires an unprivileged local user to create a login.noauth file. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
An unprivileged local attacker can exploit this vulnerability by creating a login.noauth file and leveraging control over the CREDENTIALS_DIRECTORY environment variable during telnetd interactions with login(1). Successful exploitation results in privilege escalation, granting high-impact confidentiality, integrity, and availability effects despite the high attack complexity.
Advisories and discussions on GNU inetutils bug lists, oss-security mailing lists, and a Debian inetutils package commit provide details on the issue and mitigations. The referenced commit at https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=3953943d8296310485f98963883a798545ab9a6c appears to address the vulnerability, while threads at https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html, https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00012.html, https://www.openwall.com/lists/oss-security/2026/02/24/1, and http://www.openwall.com/lists/oss-security/2026/02/27/3 outline the root cause and recommended fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9000
Vulnerability details
telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable,…
more
and requires an unprivileged local user to create a login.noauth file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via env var abuse and file creation in login/telnetd maps to Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access restrictions on the telnetd-to-login(1) interaction so an unprivileged user cannot abuse CREDENTIALS_DIRECTORY or login.noauth to escalate privileges.
Requires prompt application of the vendor patch (e.g., the referenced Debian inetutils commit) that eliminates the flawed credential-passing logic in telnetd.
Disables or restricts the telnetd service (and any util-linux login integration) so the vulnerable code path is never exposed to local users.