2443004 – (CVE-2026-28295) CVE-2026-28295 gvfs: GVfs FTP backend: Information disclosure via untrusted PASV responses

Bug 2443004 (CVE-2026-28295) - CVE-2026-28295 gvfs: GVfs FTP backend: Information disclosure via untrusted PASV responses

Summary: CVE-2026-28295 gvfs: GVfs FTP backend: Information disclosure via untrusted P...

Keywords:
Status:	NEW
Alias:	CVE-2026-28295
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-26 13:40 UTC by OSIDB Bzimport
Modified:	2026-02-26 14:02 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-26 13:40:38 UTC

The FTP GVfs backend in daemon/gvfsftptask.c:868-907 unconditionally trusts the IP address and port returned in PASV responses from FTP servers. When handling passive mode data transfers, the code parses the server's PASV reply and directly constructs a GInetSocketAddress without validating that the advertised IP matches the control connection or restricting private/internal addresses. The client then connects to this arbitrary endpoint via g_vfs_ftp_connection_open_data_connection().
This allows an attacker (the malicious server) to probe the existence of open ports accessible to the client.

Note You need to log in before you can comment on or make changes to this bug.