GNU Inetutils telnetd CVSS 9.8 pre-authentication remote code execution vulnerability (CVE-2026-32746)
Contents
A buffer overflow vulnerability was found in GNU Inetutils’ telnetd that could allow remote root privileges to be taken without authentication. CVSS score is 9.8. Patch hasn’t come out yet.
Vulnerability Overview
| Item | Contents |
|---|---|
| CVE | CVE-2026-32746 |
| CVSS 3.1 | 9.8 (Critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-120 (Buffer Copy without Checking Size of Input) |
| Scope of impact | GNU Inetutils telnetd all versions (~2.7) |
| Discoverer | Dream Security (Israeli cybersecurity company), researcher Adiel Sol |
| Patch status | Not released (scheduled to be released by April 1, 2026) |
Technical details
The vulnerability exists in the processing of the LINEMODE SLC (Set Local Characters) suboption during Telnet protocol option negotiation.
What is LINEMODE SLC?
The Telnet protocol has several modes. LINEMODE is a mode that sends data line by line, and SLC (Set Local Characters) is a suboption for negotiating the mapping of local characters (interrupt, exit, erase, etc.) between the client and server. SLC data is transmitted in sets of 3 bytes called “triplets.”
How buffer overflows work
The add_slc function that processes SLC suboptions does not check the buffer capacity. An out-of-bounds write can occur when an attacker sends a crafted SLC suboption that contains an abnormally large number of triplets.
Importantly, this overflow occurs before the authentication prompt is displayed, during the connection handshake. You don’t even need to enter a username or password; you can simply connect to port 23 and send a packet to trigger it.
Attack flow
graph TD
A[攻撃者] -->|TCP接続| B[ポート23<br/>telnetd]
B --> C[オプションネゴシエーション開始]
C --> D[細工済みLINEMODE SLC<br/>サブオプション送信]
D --> E[add_slc関数で<br/>バッファオーバーフロー発生]
E --> F[メモリ破壊<br/>→ 任意コード実行]
F --> G[root権限奪取]
G --> H[バックドア設置<br/>データ窃取<br/>横展開]Since telnetd normally runs with root privileges via inetd or xinetd, if the overflow is successful, the code will be executed with root privileges.
Affected environment
Although Telnet is almost obsolete on general web servers and desktops, it still works in the following environments:
| Environment | Applications |
|---|---|
| ICS/OT (Industrial Control System) | SCADA environment and PLC management interface |
| Government/Public Institution Network | Environment with Legacy Infrastructure |
| Embedded devices/IoT devices | Devices that provide a management console via Telnet |
| Universities and research institutes | Remote access to old computing resources |
Modernization cycles in these environments are slow, and migration to SSH is often slow.
Mitigation measures
The following is recommended as a countermeasure until a patch is released.
-Disable telnetd (highest priority if possible)
- Block port 23 in firewall (both network perimeter and host)
- Run telnetd with non-root privileges
- Restrict Telnet access to trusted networks
###Detection method
-Network level logging of connections to port 23
- Introduction of IDS signature to detect traffic with LINEMODE SLC suboption greater than approximately 90 bytes
- Telnet session capture and forensic preservation
- Aggregate logs into SIEM
Timeline
| Date | Event |
|---|---|
| 2026-03-11 | Dream Security reports vulnerability in GNU Inetutils |
| 2026-03-12 | Maintainer confirms and submits fix in Pull Request #17 |
| 2026-03-13 | Numbering and publication by CVE |
| 2026-04-01 | Release deadline (planned) |
Related vulnerabilities
About two months ago, another serious vulnerability, CVE-2026-24061 (CVSS 9.8), was disclosed in the same GNU Inetutils telnetd. According to CISA, this has already been confirmed to be exploited in actual attacks (included in the KEV catalog). Two Criticals for the same component in a short period of time casts doubt on the quality of the entire telnetd codebase.
If you still use Telnet in your environment, you should seriously consider moving to SSH rather than waiting for a patch. Telnetd itself is outdated software, and there is a problem with authentication information being sent in plain text. In addition, this vulnerability allows you to gain root without even requiring authentication, so you can’t feel safe just because a patch has been released.