CVE-2026-28296
CRLF Injection in GVfs FTP Backend Enables Remote Code Execution
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnome | gvfs | to 2.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the GVfs FTP backend on Linux systems. It occurs because the backend does not properly sanitize file paths supplied by users that contain carriage return and line feed (CRLF) sequences.
An attacker can exploit this by crafting file paths with embedded CRLF sequences, which prematurely terminate the intended FTP command and allow injection of arbitrary FTP commands.
This means the attacker can execute arbitrary FTP commands on the server, potentially leading to arbitrary code execution or other severe impacts.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The vulnerability allows a remote attacker to inject arbitrary FTP commands by exploiting unsanitized file paths containing CRLF sequences.'}, {'type': 'paragraph', 'content': 'This can lead to arbitrary code execution or other serious impacts on the affected system.'}, {'type': 'paragraph', 'content': "Since the attacker can control FTP commands, they might manipulate files, disrupt services, or gain unauthorized access depending on the server's configuration and permissions."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the injection of arbitrary FTP commands via specially crafted file paths containing CRLF sequences in the GVfs FTP backend. Detection can focus on monitoring FTP traffic for unusual or unexpected FTP commands that may indicate command injection.
You can inspect FTP traffic on your network using packet capture tools like tcpdump or Wireshark to look for FTP commands containing carriage return and line feed sequences within file paths.
- Use tcpdump to capture FTP traffic: tcpdump -i <interface> -s 0 -w ftp_traffic.pcap port 21
- Analyze the captured traffic with Wireshark or tshark to filter FTP commands and check for CRLF sequences in file paths.
- On the affected system, check logs or debug output of GVfs FTP backend for suspicious file path inputs containing CRLF sequences.
What immediate steps should I take to mitigate this vulnerability?
Since the vulnerability arises from unsanitized file paths containing CRLF sequences in the GVfs FTP backend, immediate mitigation steps include restricting or monitoring the use of GVfs FTP backend and avoiding the use of untrusted file paths.
You should consider disabling or limiting the GVfs FTP backend functionality if possible until a patch or fix is available.
Additionally, monitor FTP traffic for suspicious commands and restrict network access to trusted users to reduce the risk of exploitation.
Keep an eye on official updates or patches from your Linux distribution or GVfs maintainers to apply fixes once available.