ACCORDING to Dream Security, a critical vulnerability in GNU InetUtils telnetd, tracked as CVE-2026-32746, allows unauthenticated remote attackers to execute code with elevated privileges due to an out-of-bounds write in the LINEMODE handler. The flaw, which has a CVSS score of 9.8, affects all versions up to 2.7, and a patch is expected by 1 April 2026.
Exploitation requires no authentication or user interaction, with an attacker able to trigger remote code execution as root by sending a specially crafted message during the initial connection handshake. GNU InetUtils telnetd provides remote login access via Telnet, and the advisory notes that telnetd often runs as root, enabling complete host compromise if exploited.
The report emphasises that a single network connection to port 23 can be enough to trigger the vulnerability, making it highly dangerous across Linux distributions, IoT devices, and legacy OT/ICS environments. Experts recommend disabling Telnet services and implementing mitigation measures such as blocking port 23 and enabling logging and IDS monitoring until a fix is released.