Bug 2443004 (CVE-2026-28295)

Summary: CVE-2026-28295 gvfs: GVfs FTP backend: Information disclosure via untrusted PASV responses
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-26 13:40:38 UTC 
The FTP GVfs backend in daemon/gvfsftptask.c:868-907 unconditionally trusts the IP address and port returned in PASV responses from FTP servers. When handling passive mode data transfers, the code parses the server's PASV reply and directly constructs a GInetSocketAddress without validating that the advertised IP matches the control connection or restricting private/internal addresses. The client then connects to this arbitrary endpoint via g_vfs_ftp_connection_open_data_connection().
This allows an attacker (the malicious server) to probe the existence of open ports accessible to the client.