GNU Inetutils <=2.7 Telnet Read Env via NEW_ENVIRON SEND USERVAR: CVE-2026-32772 March 2026

telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.

Vulnerability Analysis

CVE-2026-32772 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

LOW

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

Products Associated with CVE-2026-32772

Want to know whenever a new CVE is published for GNU Inetutils? stack.watch will email you.

GNU Inetutils <=2.7 Telnet Read Env via NEW_ENVIRON SEND USERVAR
CVE-2026-32772 Published on March 13, 2026

Vulnerability Analysis

Weakness Type

Incorrect Resource Transfer Between Spheres

Products Associated with CVE-2026-32772

Affected Versions

GNU Inetutils <=2.7 Telnet Read Env via NEW_ENVIRON SEND USERVARCVE-2026-32772 Published on March 13, 2026

Vulnerability Analysis

Weakness Type

Incorrect Resource Transfer Between Spheres

Products Associated with CVE-2026-32772

Affected Versions

GNU Inetutils <=2.7 Telnet Read Env via NEW_ENVIRON SEND USERVAR
CVE-2026-32772 Published on March 13, 2026