CVE-2026-32746

CriticalPublic PoCUpdated

Published: 13 March 2026

Published

13 March 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0455 89.3th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32746 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Gnu Inetutils. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the out-of-bounds write flaw in telnetd, directly eliminating the vulnerability through patching.

SI-16 Memory Protection good match

prevent

Implements memory protections like stack canaries, ASLR, and DEP to prevent exploitation of the buffer overflow for code execution.

CM-7 Least Functionality good match

prevent

Enforces least functionality by disabling unnecessary telnetd service, preventing remote attackers from reaching the vulnerable component.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in publicly reachable telnetd daemon enables unauthenticated remote code execution, directly matching initial access via exploitation of a public-facing network service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.

Deeper analysisAI

CVE-2026-32746 affects the telnetd daemon in GNU inetutils through version 2.7. The vulnerability is an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler, caused by the add_slc function not checking whether the buffer is full. Classified as CWE-120, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe memory corruption.

Any unauthenticated remote attacker with network access to the telnetd service can exploit this flaw with low complexity and no user interaction required. By sending a crafted LINEMODE SLC suboption during a telnet connection, the attacker triggers the out-of-bounds write, enabling high-impact effects such as arbitrary code execution, data tampering, or service crashes affecting confidentiality, integrity, and availability.

Advisories and discussions appear in the GNU inetutils bug mailing list (https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html), OSS-Security announcements (https://www.openwall.com/lists/oss-security/2026/03/12/4 and http://www.openwall.com/lists/oss-security/2026/03/14/1), and a GitHub repository with related analysis (https://github.com/watchtowrlabs/watchtowr-vs-telnetd-CVE-2026-32746). Security practitioners should review these for patch availability and mitigation guidance.