Critical unpatched telnetd flaw CVE-2026-32746 allows unauthenticated root RCE

A newly disclosed flaw in GNU Inetutils telnetd could let an unauthenticated remote attacker execute code as root before any login prompt appears. The bug, tracked as CVE-2026-32746, affects GNU Inetutils telnetd through version 2.7 and carries a CVSS 3.1 score of 9.8 from MITRE.

Dream Security, which disclosed the issue, said the vulnerability sits in the LINEMODE Set Local Characters handler and stems from a missing bounds check in the add_slc path. NVD describes it as an out-of-bounds write in the LINEMODE SLC suboption handler because the buffer can overflow when add_slc does not verify remaining space.

That matters because the vulnerable code runs during Telnet option negotiation. Dream said an attacker can trigger the flaw by sending a specially crafted message during the initial handshake on TCP port 23, before authentication begins, which can lead to remote code execution with root privileges on affected systems.

The flaw remains unpatched for now. Dream’s advisory says it reported the vulnerability on March 11, 2026, a maintainer confirmed the finding and submitted a fix on March 12, and GNU Inetutils owner Simon Josefsson approved it with a release planned no later than April 1, 2026.

There is one important limit to the current reporting. Dream said there was no confirmed active exploitation at the time of publication. So this is a critical pre-auth root RCE with no public evidence yet of in-the-wild abuse, at least from the sources reviewed here.

What the bug does

Why this is serious

Telnet is old, but it has not disappeared. Dream says Telnet still appears in industrial control systems, operational technology environments, embedded systems, and some government networks where modernization moves slowly. In those settings, a pre-authentication flaw on port 23 can turn a legacy remote management service into a direct path to full system compromise.

The practical impact can be severe if telnetd runs as root, which Dream says is common under inetd or xinetd setups. A successful exploit could give an attacker full control of the host, which then opens the door to persistence, data theft, lateral movement, or use of the compromised device as a pivot point. The last part is a reasoned security inference from root-level code execution, not a separate vendor claim.

This disclosure also follows another major telnetd issue. CISA’s Known Exploited Vulnerabilities catalog lists CVE-2026-24061, a separate GNU InetUtils telnetd argument injection flaw, as actively exploited. That earlier case raises the stakes for defenders still running exposed Telnet services.

What admins should do now

• Disable telnetd if you do not absolutely need it. Dream says service disablement is required until a fix arrives.
• Block TCP port 23 at the perimeter and on host firewalls wherever possible. This follows directly from the network attack path Dream documented.
• Isolate any Telnet-dependent systems, especially in OT and legacy environments.
• Avoid running telnetd with root privileges where operationally possible. Dream lists reduced privilege as a mitigation while waiting for a fix.
• Watch for the upstream release planned by April 1, 2026, and patch quickly once it lands.

FAQ