A critical argument injection vulnerability (CVE-2026-24061) in GNU InetUtils telnetd allows remote attackers to bypass authentication and achieve root access. The vulnerability occurs because the telnetd service passes the USER environment variable to the system login process without proper sanitization, enabling attackers to inject arguments such as '-f root'.