CVE-2026-32772

Published Mar 16, 2026

Last updated 10 days ago

CVSS low 3.4

Overview

Description
telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.
Source
cve@mitre.org
NVD status
Analyzed
Products
inetutils

Risk scores

CVSS 3.1

Type
Primary
Base score
4.7
Impact score
1.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

cve@mitre.org
CWE-669

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.CVE-2026-32746
  2. telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.CVE-2026-28372
  3. GNU InetUtils Argument Injection VulnerabilityCVE-2026-24061

References

Sources include official advisories and independent security research.