- [CVE-2026-24061](https://nvd.nist.gov/vuln/detail/CVE-2026-24061) - [Nixpkgs security tracker issue](http://tracker.security.nixos.org/issues/NIXPKGS-2026-0082) - affected package maintainers: cc @matthewbauer ## Description telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. <details> <summary>CVSS CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</summary> - CVSS version: 3.1 - Attack Vector (AV): Network (N) - Attack Complexity (AC): Low (L) - Privileges Required (PR): None (N) - User Interaction (UI): None (N) - Scope (S): Unchanged (U) - Confidentiality (C): High (H) - Integrity (I): High (H) - Availability (A): High (H) </details> <details> <summary>Affected packages</summary> - `inetutils` (2.6@nixos-25.05, 2.6@nixos-unstable) </details> ## Additional comment ``` Upstream advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html ```
Description
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
CVSS CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected packages
inetutils(2.6@nixos-25.05, 2.6@nixos-unstable)Additional comment