CVE-2026-28296

Publication date 26 February 2026

Last updated 23 March 2026

Ubuntu priority

Cvss 3 Severity Score

Description

A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gvfs	25.10 questing	Fixed 1.57.2-2ubuntu5.1
	24.04 LTS noble	Fixed 1.54.4-0ubuntu1~24.04.2
	22.04 LTS jammy	Fixed 1.48.2-0ubuntu1.1
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gvfs	Upstream: 21dda19 Upstream: 2916e8d Upstream: 447ee8a

Severity score breakdown

Parameter	Value
Base score	4.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-8114-1
GVfs vulnerabilities
23 March 2026