## https://sploitus.com/exploit?id=5D5162E4-9130-5E15-A96A-A205E12AF861
# CVE-2026-24061
CVE-2026-24061-PoC
## Overview
An argument injection flaw exists in certain versions of the GNU InetUtils telnet daemon (`telnetd`). This occurs due to insufficient sanitization of environment variables passed from the client during session negotiation.
## Vulnerability Mechanism
The telnet daemon utilizes the `NEW_ENVIRON` option to allow clients to pass environment variables, such as `USER`. When spawning the local login process, the daemon interpolates this variable into the command line arguments for `/usr/bin/login`.
If the input is not sanitized to ensure it contains only valid username characters, a client can pass strings that are interpreted as flags (e.g., arguments starting with `-`) by the underlying login binary.
### Affected Versions
- GNU InetUtils `telnetd` versions 1.9.3 through 2.7 (unpatched).
## Remediation & Patch Verification
### Source-Level Fix
The vulnerability is mitigated by validating the `USER` environment variable before passing it to the execution array. Specifically, any input beginning with a hyphen (`-`) must be rejected or stripped to prevent it from being parsed as an option flag.
```
USER="-f root" telnet -a
```
### Detection and Verification
```
Debian/Ubuntu: dpkg -l | grep inetutils-telnetd
RHEL/CentOS: rpm -qa | grep inetutils
```