NIXPKGS-2026-0492

GitHub issue published on 28 Feb 2026

Permalink CVE-2026-28372

7.4 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 3 weeks ago by @anthonyroussel Activity log

Created automatic suggestion 3 weeks, 1 day ago
@anthonyroussel accepted 3 weeks ago
@anthonyroussel published on GitHub 3 weeks ago

telnetd in GNU inetutils through 2.7 allows privilege escalation that …

telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.

References

Affected products

inetutils

=<2.7

Matching in nixpkgs

pkgs.inetutils

Collection of common network programs

nixos-unstable 2.7
- nixpkgs-unstable 2.7
- nixos-unstable-small 2.7
nixos-25.11 2.7
- nixos-25.11-small 2.7
- nixpkgs-25.11-darwin 2.7

Package maintainers

@matthewbauer Matthew Bauer <mjbauer95@gmail.com>

Upstream advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html
Upstream patch: https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0492

References

Affected products

Matching in nixpkgs

pkgs.inetutils

Package maintainers