VDB

DEBIAN-CVE-2026-3184

DEBIAN-CVE-2026-3184 PUBLISHED CVSS 5.300000190734863 MEDIUM

A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Risk Scores

CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

VendorProductVersions
Debian:12util-linux2.40.4-4, 2.38.1-5, 2.38.1-5+deb12u1
Debian:13util-linux2.42-5, 2.42~rc1-2, 2.42~rc1-1
Debian:14util-linux2.42, 0, 2.41-5
Debian:11util-linux2.41-4, 2.40-2, 2.40.4-3

Timeline

  • Apr 3, 2026 CVE Published
  • May 2, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›