{"cve_id":"CVE-2026-24061","summary":"telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a \"-f root\" value for the USER environment variable.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.87007,"ranking_epss":0.99431,"kev":true,"propose_action":"GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a \"-f root\" value for the USER environment variable.","ransomware_campaign":"Unknown","references":["https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc","https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b","https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html","https://www.gnu.org/software/inetutils/","https://www.openwall.com/lists/oss-security/2026/01/20/2","https://www.openwall.com/lists/oss-security/2026/01/20/8","https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package","https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package","http://www.openwall.com/lists/oss-security/2026/01/22/1","https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061","https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html","https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER='"],"published_time":"2026-01-21T07:16:01","cpes":["cpe:2.3:a:gnu:inetutils:1.9.3","cpe:2.3:a:gnu:inetutils:1.9.4","cpe:2.3:a:gnu:inetutils:2.0","cpe:2.3:a:gnu:inetutils:2.1","cpe:2.3:a:gnu:inetutils:2.2","cpe:2.3:a:gnu:inetutils:2.3","cpe:2.3:a:gnu:inetutils:2.4","cpe:2.3:a:gnu:inetutils:2.5","cpe:2.3:a:gnu:inetutils:2.6","cpe:2.3:a:gnu:inetutils:2.7","cpe:2.3:o:debian:debian_linux:11.0"]}