Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Debian 11 inetutils Important DLA-4527-1 Privilege Escalation Threat

debian lts
Calendar Grey April 11, 2026
Dist Debian Esm H88
Discover the Debian LTS DLA-4527-1 advisory detailing critical inetutils vulnerabilities affecting telnet. Immediate updates recommended!
Several vulnerabilities were discovered in the inetutils implementation of telnetd and telnet, which may result in privilege escalation or information disclosure

Summary

CVE-2026-28372

Ron Ben Yizhak from SafeBreach found that the fix for CVE-2026-24061 was
not complete and can be exploited by abusing systemd service credentials
support added to the login(1) implementation of util-linux in release 2.40.

While Debian bullseye does not include util-linux 2.40 this problem does
thus not affect it, but was still addressed in case someone manually
updates util-linux and thus exposes this vulnerability.

CVE-2026-32746

Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel
of DREAM Security Research Team found that the telnetd server has a buffer
overflow in the LINEMODE SLC (Set Local Characters) suboption handler.
This can lead to potential pre-login remote code execution.

CVE-2026-32772

Justin Swartz discovered that telnet allows servers to read arbitrary
environment variables from clients via NEW_ENVIRON SEND USERVAR.
This can lead to information disclosure.

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Package: inetutils
Version: 2:2.0-1+deb11u4
CVE ID: CVE-2026-28372 CVE-2026-32746 CVE-2026-32772
Debian Bug: 1130741 1130742

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here