CVE-2026-32746 Enables Unauthenticated Root RCE

Overview

Cybersecurity researchers at Israeli firm Dream have disclosed a critical security flaw in the GNU InetUtils Telnet daemon (telnetd) that could allow an unauthenticated remote attacker to execute arbitrary code with root-level privileges. Tracked as CVE-2026-32746 and assigned a CVSS v3.1 base score of 9.8 out of 10.0, the vulnerability represents a severe risk to any system still running the Telnet service on the public internet or an untrusted network.

Vulnerability Details

At its core, the vulnerability is an out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler within the Telnet protocol's option negotiation phase. The SLC handler processes character-mapping triplets exchanged between client and server during the initial connection handshake — crucially, before any login prompt is presented. By supplying a specially crafted SLC suboption containing an excessive number of triplets, an attacker can overflow a stack or heap buffer, corrupt memory, and ultimately achieve arbitrary write primitives sufficient to gain code execution.

"An unauthenticated attacker can trigger it by connecting to port 23 and sending a crafted SLC suboption with many triplets. No login is required; the bug is hit during option negotiation, before the login prompt. The overflow corrupts memory and can be turned into arbitrary writes. In practice, this can lead to remote code execution. Because telnetd usually runs as root (e.g., under inetd or xinetd), a successful exploit would give the attacker full control of the system." — Adiel Sol, Security Researcher, Dream

Dream disclosed the flaw to the GNU InetUtils maintainers on 11 March 2026. All versions of telnetd through and including 2.7 are confirmed affected. A patched release is anticipated no later than 1 April 2026.

Attack Scenario

The attack surface is extremely low-friction. An adversary needs only a single TCP connection to port 23 — no prior knowledge of credentials, no man-in-the-middle position, and no social engineering of a legitimate user. The exploitation sequence is:

1. Attacker opens a TCP connection to the victim host on port 23.
2. During the Telnet option negotiation phase, the attacker sends a specially crafted LINEMODE SLC suboption containing an abnormally large number of character-mapping triplets.
3. The telnetd SLC handler writes beyond the bounds of the allocated buffer, corrupting adjacent memory.
4. Memory corruption is leveraged to achieve arbitrary write primitives and redirect execution flow.
5. Because telnetd typically runs under inetd or xinetd as root, successful exploitation yields a root shell on the target system.

Post-exploitation possibilities include persistent backdoor installation, credential harvesting, data exfiltration, and lateral movement through the wider network using the compromised host as a pivot point.

Context: A Second Critical InetUtils Flaw in Two Months

This disclosure follows closely on the heels of CVE-2026-24061 (also CVSS 9.8), a separate critical vulnerability in GNU InetUtils telnetd disclosed approximately two months ago that similarly enabled root access. That flaw has since been added to active exploitation campaigns, as confirmed by the US Cybersecurity and Infrastructure Security Agency (CISA). The rapid succession of two maximum-severity vulnerabilities in the same service underscores the inherent danger of running Telnet in any environment and should be treated as a strong signal to decommission it permanently.

Recommended Mitigations

Until a patched release of GNU InetUtils is available, organisations should implement the following controls in order of priority:

Priority	Action	Notes
Critical	Disable telnetd immediately	If Telnet is not operationally required, stop and mask the service. This is the only complete mitigation.
Critical	Block TCP port 23 at the perimeter firewall	Deny all inbound connections to port 23 at the network boundary as an immediate containment measure.
Critical	Block TCP port 23 at the host firewall (ufw / iptables)	Defence-in-depth: apply host-level rules in addition to perimeter controls.
High	Run telnetd without root privileges	If Telnet must remain operational, drop privileges using a dedicated low-privilege service account.
High	Isolate Telnet access with strict network segmentation	Restrict access to known, trusted IP ranges via firewall rules or a jump host. Avoid any internet-facing exposure.
Medium	Monitor for exploitation attempts	Alert on unexpected connections to port 23 and anomalous telnetd process behaviour in SIEM/IDS.
Medium	Apply the patch immediately upon release	Track the GNU InetUtils project for the patched release expected by 1 April 2026 and deploy it promptly.

Detection Indicators

Defenders should look for the following indicators of potential exploitation activity:

• Unexpected or novel connections to TCP port 23 from external or untrusted IP addresses.
• Abnormally short-lived Telnet sessions that terminate before presenting a login prompt.
• telnetd spawning unexpected child processes, particularly shells (/bin/bash, /bin/sh).
• Anomalous network traffic originating from hosts running telnetd post-connection (indicative of post-exploitation activity).
• New or modified files in system directories (/etc, /root, cron directories) shortly after a Telnet connection.

Conclusion

CVE-2026-32746 is about as severe as network-exposed vulnerabilities get: pre-authentication, zero-interaction, remotely exploitable as root over a decades-old plaintext protocol. The attack is simple to execute and the attack surface is broad — any system with port 23 reachable from an untrusted network is at immediate risk.

The absence of a patch at time of disclosure makes defensive action non-negotiable. Organisations should act now: audit your estate for any systems running telnetd, disable the service where possible, and enforce network-level blocks on port 23 without delay.