Security scanning tools deployed within VMware Cloud Foundation (VCF) or standalone environments may flag nodes running VMware Kubernetes Releases (VKR) as vulnerable to CVE-2026-24061. This CVE relates to a remote authentication bypass vulnerability found in the telnetd service within GNU Inetutils up to version 2.7.

Customers may be seeking clarification on exploitability and required remediation steps for their Kubernetes clusters.

• Impacted: vcf-kubernetes-distribution-cayman_tkg_ova_signer (VKR) deploying Ubuntu 24 images on Kubernetes versions v1.33 and v1.34.
• Not Impacted: VMware Kubernetes Service (VKS) and Supervisor releases are not affected. VKR deployments using Photon 5 or Ubuntu 22 do not bundle this package and are also not impacted.

The GNU inetutils package (versions 1.9.3 through 2.7) is bundled with the specific Ubuntu 24 VKR images mentioned above.

VMware By Broadcom is aware of CVE-2026-24061 
Please refer to the release notes for existing and forthcoming product releases for any updates in relation to this CVE.
Should you require further information please contact Broadcom Support.