Unauthenticated Remote Root Code Execution Vulnerability in GNU InetUtils Telnetd (CVE-2026-32746)
Summary
Hide ▲
Show ▼
An unauthenticated remote attacker can execute arbitrary code with root privileges via CVE-2026-32746, a critical out-of-bounds write vulnerability in the GNU InetUtils telnet daemon (telnetd) affecting versions through 2.7. The flaw resides in the LINEMODE Set Local Characters (SLC) suboption handler during the initial Telnet handshake, enabling exploitation before any login prompt appears. Successful exploitation requires only a single connection to port 23 and does not require credentials, user interaction, or special network positioning, leading to potential full system compromise.
Timeline
-
18.03.2026 07:06 1 articles · 2h ago
Critical unauthenticated RCE vulnerability (CVE-2026-32746) disclosed in GNU InetUtils telnetd
An unauthenticated remote attacker can achieve arbitrary code execution with root privileges via CVE-2026-32746, an out-of-bounds write flaw in the LINEMODE SLC suboption handler of GNU InetUtils telnetd. Exploitation occurs during the initial Telnet handshake on port 23, before authentication, and requires only a single network connection. No credentials or user interaction are required.
Show sources
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06
Information Snippets
-
CVE-2026-32746 is an out-of-bounds write vulnerability in the LINEMODE SLC suboption handler of GNU InetUtils telnetd affecting all versions through 2.7.
First reported: 18.03.2026 07:061 source, 1 articleShow sources
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06
-
The flaw can be triggered unauthenticated during the initial Telnet protocol handshake before any login prompt appears, enabling remote code execution (RCE) as root.
First reported: 18.03.2026 07:061 source, 1 articleShow sources
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06
-
Exploitation requires only a single network connection to port 23; no credentials, user interaction, or special network access are required.
First reported: 18.03.2026 07:061 source, 1 articleShow sources
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06
-
Successful exploitation of the unpatched vulnerability can result in complete system compromise, including the deployment of persistent backdoors, data exfiltration, and lateral movement.
First reported: 18.03.2026 07:061 source, 1 articleShow sources
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06
-
The vulnerability carries a CVSS score of 9.8 out of 10.0 and was discovered and reported by Dream on March 11, 2026.
First reported: 18.03.2026 07:061 source, 1 articleShow sources
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06
-
A patch for CVE-2026-32746 is expected to be released no later than April 1, 2026.
First reported: 18.03.2026 07:061 source, 1 articleShow sources
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06