Vulnerability CVE-2026-28295: Information

Description

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.

Severity: MEDIUM (4.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-28295
Published: Feb. 26, 2026
Modified: Feb. 27, 2026
Error type identifier: CWE-918

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
gvfssisyphus1.58.2-alt11.58.2-alt1ALT-PU-2026-3836-1409621Fixed
gvfssisyphus_riscv641.58.2-alt11.58.2-alt1ALT-PU-2026-3892-1-Fixed
gvfssisyphus_loongarch641.58.2-alt11.58.2-alt1ALT-PU-2026-3897-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://access.redhat.com/security/cve/CVE-2026-28295
    https://bugzilla.redhat.com/show_bug.cgi?id=2443004
      VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
      Version: v26.2.2
      Back to top