Logo
Overview

CVE-2026-24061

heathen heathen
January 23, 2026
1 min read
Exploit CVE POC
index

Patches

https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc

Explanation

From the patch, we can see that the flaw lies on how telnetd daemon handles the NEW_ENVIRON option during the Telnet protocol handshake

The daemon fails to properly sanitize the USER environment variable provided by the client before passing it to the systems login utility

  1. The attacker initiates the connection and negotiations the NEW_ENVIRON option
  2. The attacker supplies a malicious string for the USER variable. Instead of the username, they inject a command: -f root
  3. telnetd constructs the argument for the /bin/login process because it trusts the environment variable
/bin/login -h <remote_ip> -p -f root

Why does it work ?!

The -f flag is a login utility stands for “Forced” or “Pre Authenticated”. It is intended for internal system processes to tell login that the user has already been verified. In our case telnetd itself

By injecting the flag, we trick login into believing that the authentication step has already been occurred. The utility explicitly skips the password prompt and drops the connection directly into the root shell

Manual POC

manual exploit

Exploit

https://github.com/h3athen/CVE-2026-24061 exploit poc wow

Reference

https://linux.die.net/man/1/telnet
https://nvd.nist.gov/vuln/detail/CVE-2026-24061
https://ubuntu.com/security/CVE-2026-24061