THE Hacker News reports a critical flaw in the GNU InetUtils telnetd, tracked as CVE-2026-32746, which allows unauthenticated remote code execution via port 23 with a CVSS score of 9.8. Dream, an Israeli cybersecurity company, discovered and reported the flaw on 11 March 2026 and says it affects all telnetd versions through 2.7, with a fix expected no later than 1 April 2026.
The vulnerability arises from an out-of-bounds write in the LINEMODE Set Local Characters suboption handler, enabling a buffer overflow that can lead to code execution. An unauthenticated attacker can trigger it during the initial connection handshake, before any login prompt appears, with just a single network connection to port 23 required. If telnetd runs with root privileges, exploitation could give the attacker full control of the system and facilitate backdoors, data exfiltration, and lateral movement.
The advisory also notes that, in the absence of a fix, users should disable the service or run telnetd non‑root where needed, and block port 23 at network and host firewalls; this follows another critical GNU InetUtils telnetd flaw (CVE-2026-24061) disclosed about two months earlier and reported as being exploited in the wild by the U.S. CISA.