CVE-2026-24061
Published: 21 January 2026
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2026-24061 is a high-severity vulnerability (CVSS 9.8) in the telnetd daemon of GNU Inetutils versions through 2.7, stemming from CWE-88 (improper neutralization of argument delimiters). It enables remote authentication bypass by setting the USER environment variable to "-f root", allowing attackers to circumvent login credentials without proper validation of the input.
Any unauthenticated remote attacker with network access to the telnetd service can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high-impact privileges, potentially including root-level access, resulting in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) on the affected system.
Mitigation involves applying patches from upstream commits, such as ccba9f748aa8d50a38d7748e2e60362edd6a32cc and fd702c02497b2f398e739e3119bed0b23dd7aa7b on Codeberg, which address the authentication flaw. Advisories on GNU bug-inetutils and oss-security mailing lists detail the issue and fixes, with further details available on the GNU Inetutils project page; security practitioners should upgrade to versions beyond 2.7 and disable telnetd where possible.
Details
- CWE(s)
- KEV Date Added
- 26 January 2026
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of the telnetd daemon via argument injection for authentication bypass, granting root access. This directly maps to T1190 (public-facing service exploit), T1210 (remote service exploitation), and T1068 (privilege escalation via exploit).