CVE-2026-28372 is a vulnerability classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) affecting the telnetd daemon in GNU inetutils versions up to 2.7. The flaw stems from the way telnetd interacts with systemd service credentials support introduced in util-linux's login(1) implementation version 2.40. Specifically, the vulnerability involves client control over the CREDENTIALS_DIRECTORY environment variable, which can be manipulated by an unprivileged local user. By creating a specially crafted file named login.noauth within this directory, the attacker can bypass normal authentication mechanisms and escalate privileges on the affected system. This attack vector requires local access but does not require user interaction or prior privileges. The vulnerability impacts confidentiality, integrity, and availability by allowing unauthorized privilege escalation, potentially leading to full system compromise. The CVSS v3.1 base score is 7.4, reflecting high severity with attack vector local (AV:L), attack complexity high (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No patches or exploits are currently publicly available, but the vulnerability poses a significant risk to systems running GNU inetutils telnetd, especially in environments where local user access is possible.

The primary impact of CVE-2026-28372 is local privilege escalation, enabling an unprivileged user to gain elevated privileges, potentially root-level access. This can lead to unauthorized access to sensitive data, modification or deletion of critical system files, and disruption of system availability. The vulnerability compromises the confidentiality, integrity, and availability of affected systems. Organizations relying on GNU inetutils telnetd for remote or local terminal access are at risk, particularly in multi-user environments such as shared servers, development workstations, or legacy systems where telnet is still in use. Exploitation could facilitate lateral movement within networks, persistence, and further exploitation of other vulnerabilities. Although no known exploits are currently reported in the wild, the existence of this vulnerability increases the attack surface for insider threats and malicious local users. The high CVSS score reflects the serious nature of the vulnerability, especially given the widespread use of GNU inetutils in various Linux distributions and embedded systems.

To mitigate CVE-2026-28372, organizations should first verify if GNU inetutils telnetd version 2.7 or earlier is in use and assess the necessity of telnet services, considering disabling telnet in favor of more secure alternatives like SSH. If telnetd must be used, restrict local user access to systems running the vulnerable software to trusted personnel only. Implement strict file system permissions to prevent unprivileged users from creating or modifying files in directories related to CREDENTIALS_DIRECTORY or login.noauth. Monitor and audit local user activities for suspicious file creations or modifications in these directories. Apply any available patches or updates from GNU inetutils or util-linux projects as soon as they are released. Additionally, consider using mandatory access control (MAC) frameworks such as SELinux or AppArmor to limit the ability of local users to influence environment variables or create unauthorized files. Network segmentation and limiting telnet access to isolated environments can reduce exposure. Finally, educate system administrators and users about the risks of running legacy services like telnet and encourage migration to secure protocols.