Cybersecurity researchers have found a serious security hole in the GNU InetUtils telnet daemon (telnetd) that an unauthorized remote attacker could use to run any code with higher privileges. The CVSS score for the vulnerability, CVE-2026-32746, is 9.8 out of 10.0. Some people have called it a "out-of-bounds write" in the LINEMODE Set Local Characters (SLC) suboption handler that causes a buffer overflow, which then lets code run.

Dream, an Israeli cybersecurity company that found and reported the flaw on March 11, 2026, said it affects all versions of the Telnet service implementation up to 2.7. By April 1, 2026, at the latest, a fix for the problem should be available.

"An unauthenticated remote attacker can take advantage of this by sending a specially crafted message during the initial connection handshake, before any login prompt shows up," Dream said in an alert. "If the attack is successful, it can lead to remote code execution as root." "One network connection to port 23 is all it takes to exploit the flaw.

There are no credentials, no user interaction, and no special network position needed. According to Dream, the SLC handler handles option negotiation during the Telnet protocol handshake. But since the flaw can be triggered before authentication, an attacker can use it right away after making a connection by sending specially crafted protocol messages. If telnetd runs with root privileges, a successful attack could lead to a complete system compromise.

This could then lead to a number of actions after the attack, such as installing persistent backdoors, stealing data, and moving laterally by using the compromised hosts as pivot points. "An unauthenticated attacker can trigger it by connecting to port 23 and sending a crafted SLC suboption with many triplets," said Adiel Sol, a Dream security researcher. "No login is needed; the bug happens during option negotiation, which is before the login prompt.

The overflow damages memory and can be used to write anything. In real life, this can let code run on a computer from a distance.

If an attacker successfully exploited telnetd, they would have full control of the system because it usually runs as root (for example, under inetd or xinetd). "If there is no fix, it's best to turn off the service if you don't need it, run telnetd without root privileges when you need to, block port 23 at the network perimeter and host-based firewall level to limit access, and keep Telnet access separate. The announcement comes almost two months after another serious security hole was found in GNU InetUtils telnetd (CVE-2026-24061, CVSS score: 9.8) that could be used to get root access to a target system.

According to the U.S. Cybersecurity and Infrastructure Security Agency, the vulnerability is now being actively used in the wild.