Cybersecurity researchers reported a critical pre-authentication buffer overflow in the GNU InetUtils telnet daemon that can allow unauthenticated remote code execution as root, tracked as CVE-2026-32746 with a CVSS score of 9.8, in a technical advisory published by Dream.
KEY FACTS
- Vulnerability Out-of-bounds write in the LINEMODE SLC handler
- CVE NVD entry for CVE-2026-32746 rated CVSS 9.8
- Affected GNU InetUtils telnetd versions through 2.7
- Exploit Pre-auth remote code execution as root via a single connection to port 23
The issue was reported on March 11, 2026. The advisory states the flaw affects all Telnet implementations up to version 2.7. A fix is expected no later than April 1, 2026.
The flaw is an out-of-bounds write triggered in the Set Local Characters suboption handler during LINEMODE option negotiation. The overflow can be triggered before authentication by sending a specially crafted SLC suboption during the initial Telnet handshake.
Because the condition is hit before login and a single connection to port 23 is sufficient, successful exploitation can lead to arbitrary writes and remote code execution as root. If telnetd runs with root privileges this can allow full system compromise including persistent backdoors and lateral movement.
Until a patch is released the advisory recommends disabling Telnet if not needed, running telnetd without root privileges where possible, blocking port 23 at network and host firewalls, and isolating Telnet access.
WHY IT MATTERS
The vulnerability allows unauthenticated remote code execution during protocol negotiation, so exposed systems are at high risk until patched or mitigations are applied.