CVE-2026-24061CRITICAL 9.8CISA KEVEPSS p99.9%

CVE-2026-24061GNU InetUtils Argument Injection Vulnerability

GNU / InetUtils

Description

GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS98.87% probability of exploitation · percentile 99.9% · 2026-06-15T12:03:41Z
Published2026-01-21
Last modified2026-02-11

CISA KEV entry

Added to KEV: 2026-01-26

Underlying weaknesses· 1

CWE-88

References

  1. https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
  2. https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
  3. https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html
  4. https://www.gnu.org/software/inetutils/
  5. https://www.openwall.com/lists/oss-security/2026/01/20/2
  6. https://www.openwall.com/lists/oss-security/2026/01/20/8
  7. https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package
  8. https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')cwe-880%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryGNU InetUtils Argument Injection Vulnerabilitykev-cve-2026-240610%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35083
CVE
CVE-2025-25269
CVE
CVE-2026-49188
CVE
GNU Bash OS Command Injection Vulnerability
CVE
CVE-2026-35085
CVE
CVE-2026-35081
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.