A critical vulnerability in the GNU InetUtils telnet daemon, tracked as CVE-2026-32746, could allow an unauthenticated attacker to execute arbitrary code with root privileges. According to The Hacker News, the issue is an out-of-bounds write in the LINEMODE Set Local Characters, or SLC, suboption handler that leads to a buffer overflow during the Telnet protocol handshake.
The flaw was discovered and reported by Israeli cybersecurity company Dream on March 11, 2026. Dream says the vulnerability affects all Telnet service implementations through version 2.7 and can be triggered before any login prompt appears. That means a remote attacker can connect directly to port 23 and send specially crafted protocol messages during option negotiation without needing valid credentials, user interaction or privileged network positioning.
Because telnetd typically runs with root privileges under inetd or xinetd deployments, successful exploitation can lead to full system compromise. Researchers warn that once root access is obtained, attackers could install persistent backdoors, exfiltrate data and use compromised machines as pivot points for lateral movement inside broader environments.
Dream says the bug can be exploited by sending a crafted SLC suboption containing many triplets, corrupting memory and enabling arbitrary writes that can be turned into remote code execution. The report adds that only a single connection to port 23 is needed to trigger the vulnerable code path.
At the time of disclosure, no patch had yet been released. Dream said a fix is expected no later than April 1, 2026. Until then, defenders are advised to disable Telnet if it is not required, avoid running telnetd as root when possible, block or tightly restrict access to port 23 and isolate any systems that still depend on Telnet for operational reasons.
The disclosure follows another critical GNU InetUtils telnetd issue, CVE-2026-24061, which was revealed earlier in 2026 and later came under active exploitation according to the U.S. Cybersecurity and Infrastructure Security Agency. Together, the two flaws highlight the continued risk of legacy remote access services that remain exposed in modern environments.