CVE-2026-32746 Enables Unauthenticated Root RCE
18 Mar 2026 Peter Bassill
A critical, as-yet-unpatched buffer overflow in GNU InetUtils telnetd allows any unauthenticated attacker to achieve remote code execution as root via a single connection to TCP port 23 — no credentials, no user interaction required. A fix is expected by 1 April 2026. Organisations should disable Telnet immediately if it is not strictly necessary.