Full Report
Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges. The vulnerability, tracked as CVE-2026-32746, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set
Analysis Summary
# Vulnerability: Pre-Auth Out-of-Bounds Write in GNU InetUtils telnetd
## CVE Details
- **CVE ID:** CVE-2026-32746
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-787 (Out-of-bounds Write) / Buffer Overflow
## Affected Systems
- **Products:** GNU InetUtils telnet daemon (telnetd)
- **Versions:** All versions through 2.7
- **Configurations:** Systems running the Telnet service, particularly those where `telnetd` is spawned with root privileges (common under `inetd` or `xinetd` configurations).
## Vulnerability Description
The flaw resides in the **LINEMODE Set Local Characters (SLC)** suboption handler of the Telnet protocol. During the initial handshake—before a user provides any credentials—the daemon processes option negotiations. An attacker can send a specially crafted Telnet message containing an excessive number of "triplets" within the SLC suboption. This causes an out-of-bounds write (buffer overflow), allowing the attacker to corrupt memory and achieve arbitrary writes, which can be leveraged for code execution.
## Exploitation
- **Status:** PoC available (discovered by Dream security researchers); no current reports of exploitation in the wild for this specific CVE, though a similar flaw (CVE-2026-24061) is actively exploited.
- **Complexity:** Low (No special network position or user interaction required).
- **Attack Vector:** Network (Remote via Port 23).
## Impact
- **Confidentiality:** High (Full system access)
- **Integrity:** High (Full system access)
- **Availability:** High (Complete system compromise/DoS)
## Remediation
### Patches
- **Official Fix:** Expected to be released by GNU no later than **April 1, 2026**. Users should monitor GNU InetUtils primary repositories for version 2.8 or security patches.
### Workarounds
- **Disable Service:** Immediately disable the Telnet service if it is not business-critical.
- **Access Control:** Block port 23 at the network perimeter and host-based firewalls.
- **Privilege Reduction:** If the service must run, configure it to run without root privileges (though this may break some functionality).
- **Network Isolation:** Restrict Telnet access to isolated, trusted management segments only.
## Detection
- **Indicators of Compromise:** Unusual binary execution originating from the `telnetd` process; unauthorized root user creation or unexpected persistent backdoors.
- **Detection Methods:** Monitor network traffic for large or malformed SLC suboption negotiation packets during the initial TCP handshake on port 23.
## References
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-32746
- **Researcher Advisory:** hxxps[://]dreamgroup[.]com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/
- **GNU Bug Archive:** hxxps[://]lists[.]gnu[.]org/archive/html/bug-inetutils/2026-03/msg00031[.]html
- **Vendor Source:** hxxps[://]thehackernews[.]com/2026/03/critical-telnetd-flaw-cve-2026-32746[.]html