Number: AL26-002
Date: January 22, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Cyber Centre is aware of a critical vulnerability in GNU InetUtils telnetd serviceFootnote 1. In response to the security advisory released on January 20, 2026, the Cyber Centre issued AV26-047 on January 21, 2026.Footnote 2
Tracked as CVE-2026-24061Footnote 3, this vulnerability allows Argument Injection (CWE-88: Improper Neutralization of Argument Delimiters in a Command)Footnote 4 where telnetd passes the USER environment variable to the system login process without sanitizing arguments. This allows an attacker to send a value like -f root, which bypasses authentication and grants remote root access on the affected server.Footnote 5
This vulnerability affects many Linux/UNIX distributions or appliances that ship or enable GNU Inetutils telnetd, especially those with telnet enabled for legacy or embedded use.
Suggested actions
The Cyber Centre recommends that organizations upgrade affected instances of GNU InetUtils to a fixed version when available.
The table below shows affected and patched versions:
| Affected product | Affected versions | Patched versions |
|---|---|---|
| GNU Inetutils telnetd | Version 1.9.3 up to and including 2.7 | Fixed version beyond 2.7 (no patch available yet for Inetutils network utilities package) |
Patches are available to fix the vulnerability in telnetd. However, these must be incorporated into the packages of the various distributions before they can be implemented. Until then, the patches can only be implemented by modifying them in the code (in telnetd/utility.c) and then compiling them independently.Footnote 6
If patching is not immediately possible:
- Disable or do not run telnetd server, or
- Restrict access to the telnet ports to authorized users (eg: firewall rules, network segmentation)
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topics.Footnote 7
- Patch operating systems and applications
- Harden operating systems and applications
- Isolate web-facing applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.