Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE

Cybersecurity researchers have found a serious security hole in the GNU InetUtils telnet daemon (telnetd) that an unauthenticated remote attacker could use to run any code with higher privileges This article explores telnetd cve 2026. . The CVSS score for this vulnerability, which is known as CVE-2026-32746, is 9.8 out of 10.0. People have called it a "out-of-bounds write" in the LINEMODE Set Local Characters (SLC) suboption handler, which causes a buffer overflow and eventually lets code run.

The Israeli cybersecurity company Dream found and reported the flaw on March 11, 2026. They said it affects all versions of the Telnet service implementation up to 2.7. By April 1, 2026, a fix for the security hole should be available.

"An unauthenticated remote attacker can take advantage of this by sending a specially crafted message during the initial connection handshake, before any login prompt appears," Dream said in an alert. "Successful exploitation can lead to running code as root from a distance." "One network connection to port 23 is all it takes to exploit the flaw.

There are no credentials, no user interaction, and no special network position needed. According to Dream, the SLC handler takes care of option negotiation during the Telnet protocol handshake. But since the flaw can be triggered before authentication, an attacker can use it right away after connecting by sending specially crafted protocol messages. If telnetd runs with root privileges, a successful attack could completely take over the system.

This could then lead to a number of post-exploitation actions, such as setting up permanent backdoors, stealing data, and moving laterally by using the compromised hosts as pivot points. Dream security researcher Adiel Sol says, "An unauthenticated attacker can trigger it by connecting to port 23 and sending a crafted SLC suboption with many triplets." "There's no need to log in; the bug happens during option negotiation, which comes before the login prompt.

The overflow damages memory and can be used to write anything. In practice, this can let code run on a remote machine.

Telnetd usually runs as root (for example, under inetd or xinetd), so if an attacker is able to exploit it, they will have full control over the system. "If there isn't a fix, it's best to turn off the service if it's not needed, run telnetd without root access when necessary, block port 23 at the network perimeter and host-based firewall level to limit access, and keep Telnet access separate." The disclosure comes almost two months after another serious security hole was found in GNU InetUtils telnetd (CVE-2026-24061, CVSS score: 9.8) that could be used to get root access to a target system.

According to the U.S. Cybersecurity and Infrastructure Security Agency, the flaw has been actively used in the wild since then.