VDB
DEBIAN-CVE-2026-3184
DEBIAN-CVE-2026-3184
PUBLISHED
CVSS 5.300000190734863 MEDIUM
A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | util-linux | 2.40.4-4, 2.38.1-5, 2.38.1-5+deb12u1 |
| Debian:13 | util-linux | 2.42-5, 2.42~rc1-2, 2.42~rc1-1 |
| Debian:14 | util-linux | 2.42, 0, 2.41-5 |
| Debian:11 | util-linux | 2.41-4, 2.40-2, 2.40.4-3 |
Timeline
- Apr 3, 2026 CVE Published
- May 2, 2026 CVE Updated