CVE-2026-32746
Published: 13 March 2026
Summary
CVE-2026-32746 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Gnu Inetutils. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-32746 is an out-of-bounds write vulnerability in the telnetd component of GNU inetutils through version 2.7. It occurs in the LINEMODE SLC suboption handler because the add_slc function fails to verify whether the buffer is full before writing data, corresponding to CWE-120. The flaw carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can send crafted telnet option sequences to trigger the buffer overflow. Successful exploitation can result in arbitrary code execution, full system compromise, or denial of service on the affected telnet daemon.
Public references include mailing-list disclosures on the GNU inetutils bug list and oss-security, along with a watchtowr labs repository that demonstrates the issue. The associated EPSS score has remained flat at 0.0530 with no material rise since disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12065
Vulnerability details
telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in publicly reachable telnetd daemon enables unauthenticated remote code execution, directly matching initial access via exploitation of a public-facing network service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (including telnet option suboptions) to prevent the unchecked buffer write in add_slc.
Requires disabling or restricting non-essential network services such as the vulnerable telnetd daemon.
Applies memory-protection mechanisms that can block successful exploitation of the out-of-bounds write even if triggered.