Critical GNU Inetutils telnetd flaw allows pre-auth remote code execution over port 23
5 min. read 
Published on
A critical vulnerability in GNU Inetutils telnetd can let an unauthenticated remote attacker trigger memory corruption during the Telnet handshake and potentially execute code as root. The flaw is tracked as CVE-2026-32746, affects GNU Inetutils telnetd through version 2.7, and carries a CVSS 3.1 score of 9.8 from MITRE.
The bug sits in the LINEMODE Set Local Characters, or SLC, suboption handler. NVD says add_slc does not check whether the buffer is full, which leads to an out-of-bounds write. Dream Security says the vulnerable code path can be reached during the initial connection handshake, before any login prompt appears.
That makes this a serious issue for any environment that still exposes Telnet on TCP port 23. Dream Security says no authentication or user interaction is required, and notes that successful exploitation can result in remote code execution as root because telnetd commonly runs with elevated privileges under inetd or xinetd.
What CVE-2026-32746 affects
The vulnerability affects GNU Inetutils telnetd through version 2.7. Dream Security says exposed systems may include Linux distributions that ship Inetutils, embedded devices, older network appliances, and operational technology deployments that still rely on Telnet for remote access or console management.
This matters most in legacy environments. Dream Security specifically points to ICS, OT, and some government networks where old PLCs, SCADA systems, and other field equipment still depend on Telnet because replacing or modernizing them is costly or disruptive. That context does not change the bug itself, but it does raise the real-world risk for operators that still have Telnet exposed.
Why this telnetd bug is dangerous
The attack happens before authentication. Dream Security says a specially crafted LINEMODE SLC message sent during option negotiation can trigger the overflow without valid credentials. NVD’s CVSS vector also reflects that profile with network attackability, low attack complexity, no privileges required, and no user interaction.
If exploited successfully, the impact can be severe. Dream Security says attackers may gain arbitrary remote code execution as root, install persistent backdoors, steal data, or use the system as a pivot point for further intrusion. Because Telnet often sits on older or harder-to-replace systems, the recovery burden can be high even when the number of exposed hosts is limited.
Key details at a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-32746 |
| Product | GNU Inetutils telnetd |
| Affected versions | Through 2.7 |
| Vulnerability type | Out-of-bounds write / classic buffer overflow |
| Attack point | LINEMODE SLC suboption handler |
| Authentication required | No |
| User interaction | No |
| Network exposure | TCP port 23 |
| Severity | Critical, CVSS 9.8 |
Source: NVD and Dream Security.
Patch status and timeline
Dream Security says it reported the issue to the GNU Inetutils team on March 11, 2026. According to its disclosure timeline, maintainer Collin Funk confirmed the issue and submitted a fix on March 12, and project owner Simon Josefsson approved it with a release planned no later than April 1, 2026. The CVE was published on March 13, 2026.
At the time of publication, Dream Security said it had no confirmed evidence of active exploitation in the wild. That said, the combination of unauthenticated network reachability and trivial exposure on port 23 makes this a patch-or-disable issue for any system still running the vulnerable daemon.
What defenders should do now
The best option is to disable telnetd if the service is no longer required. Dream Security explicitly recommends service disablement until a fix is released.
If Telnet must stay online for operational reasons, restrict port 23 to a tightly controlled management network or specific trusted hosts. This mitigation follows directly from the documented network attack path and Dream Security’s recommendation to limit exposure while awaiting a fixed release.
Security teams should also log and monitor new connections to port 23 and inspect unusual LINEMODE negotiation traffic where possible. Dream Security notes that standard authentication logs may miss this attack because the malicious input arrives before login, so network-layer visibility becomes more important.
Immediate mitigation checklist
- Disable GNU Inetutils
telnetdwherever possible. - Block or strictly limit inbound access to TCP port 23.
- Prioritize legacy OT, ICS, and appliance-like systems that still use Telnet.
- Watch for unexpected pre-auth Telnet negotiation traffic instead of relying only on login logs.
- Apply the official fixed release as soon as GNU Inetutils ships it.
FAQ
CVE-2026-32746 is a critical out-of-bounds write vulnerability in GNU Inetutils telnetd. NVD says the flaw exists in the LINEMODE SLC handler because add_slc does not verify available buffer space.
No. Dream Security says the flaw is reachable during the initial Telnet handshake before any authentication prompt appears.
NVD and Dream Security both say GNU Inetutils telnetd through version 2.7 is affected.
Dream Security said there was no confirmed exploitation in the wild at the time it published its advisory.
Disable telnetd if possible. If that is not possible, restrict access to port 23 and plan to apply the vendor fix as soon as the updated release becomes available.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages