CVE-2026-32772
Information Disclosure via NEW_ENVIRON in GNU inetutils Telnet
Publication date: 2026-03-16
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnu | inetutils | to 2.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32772 is a vulnerability in the telnet client of GNU inetutils version 2.7 and other Unix-like systems that allows a telnet server to read arbitrary environment variables from a connecting client. This happens through the use of the NEW-ENVIRON telnet option combined with the SEND USERVAR command, which requests environment variables from the client.
The vulnerability arises because the affected telnet clients unconditionally leak any requested environment variable without requiring the variable to be explicitly exported by the client. This means sensitive environment data can be exposed to a malicious telnet server.
The issue was reintroduced in some systems like Debian 12 when switching to inetutils telnet, and affects other systems such as FreeBSD, NetBSD, OpenBSD (partially), and Oracle Solaris. It can be exploited by tricking users into connecting to malicious telnet servers, for example via telnet:// URI links in browsers.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to the unintended disclosure of sensitive environment variables from a user's system to a malicious telnet server. Environment variables often contain sensitive information such as authentication tokens, configuration details, or other private data."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by convincing a user to connect to a malicious telnet server, for example through a specially crafted telnet:// URI link or HTTP redirect. Once connected, the attacker can request and obtain arbitrary environment variables from the client.'}, {'type': 'paragraph', 'content': 'This exposure can compromise user privacy and security by leaking confidential information that could be used for further attacks or unauthorized access.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running a minimal telnet server that requests environment variables from connecting telnet clients using the NEW-ENVIRON SEND USERVAR telnet option.
A proof of concept program named envscraper.c is available which sets up a TCP server on localhost port 23232, accepts telnet client connections, and sends telnet negotiation commands to request specific environment variables.
By running this program and connecting with the telnet client, you can observe if the client leaks environment variables, indicating vulnerability.
Alternatively, you can monitor network traffic for telnet sessions that include the NEW-ENVIRON option with SEND ENV_USERVAR commands, which indicate attempts to read environment variables.
No specific standard commands are provided, but using the envscraper.c proof of concept or similar telnet server setups to test clients is the recommended detection method.
What immediate steps should I take to mitigate this vulnerability?
I don't know