CVE-2026-28372
Publication date 27 February 2026
Last updated 8 June 2026
Ubuntu priority
Description
telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| inetutils | 26.04 LTS resolute |
Fixed 2:2.7-2ubuntu1.1
|
| 25.10 questing |
Fixed 2:2.6-1ubuntu3.2
|
|
| 24.04 LTS noble |
Fixed 2:2.5-3ubuntu4.2
|
|
| 22.04 LTS jammy |
Fixed 2:2.2-2ubuntu0.2+esm1
|
|
| 20.04 LTS focal |
Fixed 2:1.9.4-11ubuntu0.2+esm4
|
|
| 18.04 LTS bionic |
Fixed 2:1.9.4-3ubuntu0.1+esm5
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needed | |
| 14.04 LTS trusty |
Fixed 2:1.9.2-1ubuntu0.1~esm4
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
mdeslaur
This is only an issue when used with util-linux 2.40+ which added support for systemd service credentials Noble and earlier shipped with util-linux < 2.40 and are not vulnerable to this issue. In addition, in Ubuntu noble and earlier, the login binary is produced by the shadow package, not the util-linux package. The login binary switched to being built from the util-linux package in questing and later. See discussion here for more possible issues: https://www.openwall.com/lists/oss-security/2026/02/24/1 Should also include all the hardening commits from here: https://cgit.git.savannah.gnu.org/cgit/inetutils.git/log/telnetd
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.4 · High
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-8387-1
- Inetutils vulnerabilities
- 4 June 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-28372
- https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html
- https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=3953943d8296310485f98963883a798545ab9a6c
- https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00012.html
- https://www.openwall.com/lists/oss-security/2026/02/24/1