GNU Inetutils
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in GNU Inetutils.
Known Exploited GNU Inetutils Vulnerabilities
The following GNU Inetutils vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| GNU InetUtils Argument Injection Vulnerability |
GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable. CVE-2026-24061 Exploit Probability: 81.0% |
January 26, 2026 |
The vulnerability CVE-2026-24061: GNU InetUtils Argument Injection Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 2 vulnerabilities in GNU Inetutils with an average score of 8.6 out of ten. Inetutils did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 8.60 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.80 |
| 2022 | 1 | 7.50 |
| 2021 | 1 | 6.50 |
It may take a day or so for new Inetutils vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent GNU Inetutils Security Vulnerabilities
Privilege Escalation in GNU inetutils telnetd (<2.7) via systemd credentials
CVE-2026-28372
7.4 - High
- February 27, 2026
telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.
Inclusion of Functionality from Untrusted Control Sphere
Authentication Bypass in GNU Inetutils telnetd <=2.7 via USER var
CVE-2026-24061
9.8 - Critical
- January 21, 2026
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
Argument Injection
Priv Esc in GNU inetutils <2.5 via set*id() in ftpd, rcp, rlogin
CVE-2023-40303
7.8 - High
- August 14, 2023
GNU inetutils before 2.5 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the setuid system call fails when a process is trying to drop privileges before letting an ordinary user control the activities of the process.
Unchecked Return Value
NULL ptr deref in GNU Inetutils telnetd <2.3 (telnet loop crash)
CVE-2022-39028
7.5 - High
- August 30, 2022
telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
NULL Pointer Dereference
The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address
CVE-2021-40491
6.5 - Medium
- September 03, 2021
The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.
Insufficient Verification of Data Authenticity
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for GNU Inetutils or by GNU? Click the Watch button to subscribe.
