Legacy remote services continue to introduce modern security risk.

CVE-2026-24061 is a critical authentication bypass in the Telnet daemon distributed with GNU Inetutils. A remote attacker can obtain a root shell without credentials simply by connecting to a vulnerable Telnet service and supplying crafted environment data during session setup.

No exploit chain.
No memory corruption.
No brute force.

CAUTION

If Telnet (TCP/23) is reachable, compromise can be immediate.

Quick Facts

Field	Value
CVE	2026-24061
Type	Authentication bypass
Attack vector	Network
Authentication	None
Impact	Root access
Severity	Critical
Affected	GNU Inetutils telnetd ≤ 2.7

Root Cause Overview

Telnet supports the NEW_ENVIRON option, which allows the client to send environment variables such as USER, TERM, and HOST. In vulnerable versions of telnetd, these values were trusted and passed directly into the system login program. Because /usr/bin/login supports flags like:

bash

-f <user>   (skip authentication)

an attacker could send:

bash

USER=-f root

which results in immediate root access. This is an argument injection vulnerability, not memory corruption, caused by unsafe input handling.

Vulnerable Code (Before Patch)

case 'U':
  return getenv("USER") ? xstrdup(getenv("USER")) : xstrdup("");

No validation was performed. Any client-controlled value reached the login process.

Upstream Fixes (From Actual Commits)

Fix 1 - Reject malicious usernames

Source: https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b

case 'U':
-  return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
+  {
+    /* Ignore user names starting with '-' or containing shell metachars */
+    char const *u = getenv ("USER");
+    return xstrdup ((u && *u != '-'
+                     && !strcspn (u, "\t\n !\"#$&'()*;<>?[\\]^`{|}~"))
+                    ? u : "");
+  }

This change blocks:

usernames starting with "-"
shell/control characters
option injection such as "-f root"

Fix 2 - Centralized sanitization for all variables

Source: https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc

static char *
sanitize (const char *u)
{
  if (u && *u != '-'
      && !strcspn (u, "\t\n !\"#$&'()*;<>?[\\]^`{|}~"))
    return u;
  else
    return "";
}

Applied everywhere:

[...]
- return xstrdup (remote_hostname);
+ return xstrdup (sanitize (remote_hostname));
[...]
- return xstrdup (local_hostname);
+ return xstrdup (sanitize (local_hostname));
[...]
- return xstrdup (line);
+ return xstrdup (sanitize (line));
[...]
- return terminaltype ? xstrdup (terminaltype) : NULL;
+ return terminaltype ? xstrdup (sanitize (terminaltype)) : NULL;
[...]

This ensures all Telnet-supplied values are sanitized before use, closing the entire injection class.

Detection Guide

Scan for exposed Telnet services:

bash

nmap -p 23 -sV <target>

Check installation:

bash

dpkg -l | grep inetutils
rpm -qa | grep inetutils

Verify version:

bash

inetutils-telnetd --version

IMPORTANT

If version is <= 2.7, the system is vulnerable.

Check running service:

bash

ss -lntp | grep :23
systemctl status telnetd telnet.socket

Search logs:

bash

grep telnet /var/log/auth.log
last | grep root
journalctl -u telnetd

Remediation

Patch immediately:

bash

apt install --only-upgrade inetutils-telnetd

bash

dnf update inetutils

Disable Telnet:

bash

systemctl disable --now telnetd telnet.socket

Block the port:

bash

ufw deny 23/tcp

Replace Telnet with SSH for secure encrypted access.

Key Takeaway

CVE-2026-24061 is a classic legacy trust failure:

Untrusted environment data became login arguments, leading to root access.
If Telnet exists in your environment, it should be patched or removed immediately.