Cyber Resilience

CVE-2026-32746

CriticalPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2367 97.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32746 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Gnu Inetutils. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32746 is an out-of-bounds write vulnerability in the telnetd component of GNU inetutils through version 2.7. It occurs in the LINEMODE SLC suboption handler because the add_slc function fails to verify whether the buffer is full before writing data, corresponding to CWE-120. The flaw carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can send crafted telnet option sequences to trigger the buffer overflow. Successful exploitation can result in arbitrary code execution, full system compromise, or denial of service on the affected telnet daemon.

Public references include mailing-list disclosures on the GNU inetutils bug list and oss-security, along with a watchtowr labs repository that demonstrates the issue. The associated EPSS score has remained flat at 0.0530 with no material rise since disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Out-of-bounds write in publicly reachable telnetd daemon enables unauthenticated remote code execution, directly matching initial access via exploitation of a public-facing network service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28372Same product: Gnu Inetutils
CVE-2026-5435Same vendor: Gnu
CVE-2026-5450Same vendor: Gnu
CVE-2025-0689Same vendor: Gnu
CVE-2026-24061Same product: Gnu Inetutils
CVE-2025-70314Shared CWE-120
CVE-2026-5928Same vendor: Gnu
CVE-2026-38426Shared CWE-120
CVE-2025-29329Shared CWE-120
CVE-2025-25567Shared CWE-120

Affected Assets

gnu
inetutils
≤ 2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including telnet option suboptions) to prevent the unchecked buffer write in add_slc.

prevent

Requires disabling or restricting non-essential network services such as the vulnerable telnetd daemon.

prevent

Applies memory-protection mechanisms that can block successful exploitation of the out-of-bounds write even if triggered.

References