CVE-2026-28372 is a vulnerability classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) affecting the telnetd daemon in GNU inetutils versions through 2.7. The root cause lies in the interaction between telnetd and the systemd service credentials support recently added to the login(1) utility in util-linux version 2.40. Specifically, the vulnerability involves client control over the CREDENTIALS_DIRECTORY environment variable, which is used by the login process to manage credentials securely. An unprivileged local attacker can exploit this by creating a crafted file named login.noauth, which influences the credential handling mechanism, allowing the attacker to escalate privileges on the system. This escalation bypasses normal authentication and authorization controls, potentially granting root or equivalent access. The vulnerability requires local access but does not require user interaction beyond file creation. The CVSS v3.1 base score is 7.4, reflecting high impact on confidentiality, integrity, and availability, with attack vector local, attack complexity high, no privileges required, no user interaction, and unchanged scope. No patches or exploits are currently publicly available, but the vulnerability poses a significant risk to systems running affected versions of GNU inetutils and util-linux. The issue highlights the dangers of trusting environment variables and the need for strict validation in credential management components.

The primary impact of CVE-2026-28372 is local privilege escalation, which can lead to full system compromise. An attacker with local access can leverage this vulnerability to gain root-level privileges, thereby compromising the confidentiality, integrity, and availability of the affected system. This can result in unauthorized access to sensitive data, modification or deletion of critical files, and disruption of services. Organizations relying on GNU inetutils telnetd and util-linux login utilities in their Linux environments, especially servers and critical infrastructure, face increased risk of insider threats or exploitation by attackers who have gained limited local access. The vulnerability could facilitate lateral movement within networks and undermine trust in system authentication mechanisms. Although no public exploits are known yet, the high CVSS score and the nature of the vulnerability warrant urgent attention to prevent potential exploitation.

To mitigate CVE-2026-28372, organizations should: 1) Immediately audit systems for the presence of GNU inetutils telnetd versions through 2.7 and util-linux login versions 2.40 or later. 2) Restrict local user permissions to prevent creation or modification of the login.noauth file, especially in directories controlled by the CREDENTIALS_DIRECTORY environment variable. 3) Implement environment variable sanitization and validation in the login process to ensure untrusted input cannot influence credential handling. 4) Monitor local file system changes and user activities for suspicious creation of files like login.noauth. 5) Consider disabling or replacing telnetd with more secure remote access protocols such as SSH, which do not rely on vulnerable components. 6) Stay alert for official patches or updates from GNU inetutils and util-linux projects and apply them promptly once available. 7) Employ host-based intrusion detection systems (HIDS) to detect anomalous privilege escalation attempts. These steps go beyond generic advice by focusing on controlling environment variables, file creation permissions, and proactive monitoring specific to this vulnerability's exploitation vector.