Cybersecurity researchers have disclosed a critical, unpatched vulnerability in the GNU Inetutils telnet daemon (telnetd) that poses a severe threat to network security. Tracked as CVE-2026-32746 with a maximum CVSS score of 9.8, this flaw allows an unauthenticated remote attacker to execute arbitrary code with root-level privileges. The vulnerability resides in the LINEMODE Set Local Characters (SLC) suboption handler, where an out-of-bounds write leads to a buffer overflow. This condition can be weaponized to achieve remote code execution (RCE) on the target system, effectively granting an attacker full control without any prior authentication.
The flaw was discovered and reported by Israeli cybersecurity firm Dream on March 11, 2026. It affects all versions of the Telnet service implementation through version 2.7. According to the advisory, exploitation is alarmingly straightforward: an attacker need only establish a single network connection to the default Telnet port (TCP/23) and send a specially crafted message during the initial protocol handshake—before any login prompt appears. This means no credentials, user interaction, or privileged network position is required. The SLC handler, which manages option negotiation in the Telnet protocol, fails to properly validate input, allowing maliciously crafted suboptions with excessive "triplets" to corrupt memory and hijack execution flow.
Successful exploitation of this vulnerability leads to a complete system compromise, as the telnetd service typically runs with root privileges. An attacker gaining this level of access can perform a wide range of post-exploitation activities. These include deploying persistent backdoors for long-term access, exfiltrating sensitive data, and using the compromised host as a pivot point for lateral movement within the network. The pre-authentication nature of the attack makes it particularly dangerous for any internet-facing system running the vulnerable telnetd, as it can be targeted by automated scanning and exploitation tools.
As of now, there is no official patch available for CVE-2026-32746. The maintainers of GNU Inetutils are expected to release a fix by April 1, 2026. In the interim, organizations are urged to take immediate defensive actions. The primary and most effective mitigation is to disable the Telnet service entirely, especially on systems exposed to the internet. Telnet is an inherently insecure protocol that transmits data, including credentials, in plaintext, and its use should be phased out in favor of secure alternatives like SSH (Secure Shell). For systems where Telnet cannot be immediately removed, strict network access controls should be implemented to block port 23/TCP from untrusted networks. Continuous monitoring for exploitation attempts and applying the patch immediately upon its release are critical next steps.
