The security community has turned on the alarms after finding a critical vulnerability in the Telnet demon included in GNU Inetutils. Israeli researchers revealed that the telnetd service contains a memory failure that can allow an unauthenticated remote attacker to run code with high privileges, making it an immediate risk to systems that still expose service to accessible networks.
The weakness has been recorded as CVE-2026-32746 and receives a very high CVSS score, 9.8 out of 10, which reflects gravity: it is an overflow caused by an off-limits writing in the SLC (Set Local Characteristics) suboption handle of the LINEMODE mode of the Telnet protocol. In simple terms, during the initial negotiations of the protocol a specially built package can corrupt memory in telnetd and open the door to arbitrary modifications that, in practice, can result in remote code execution.
The discovery was made and reported by the firm Dream on March 11, 2026. According to its analysis, versions of Inetutils until 2.7 are affected, and a public solution is expected to be available by 1 April 2026. Dream's technical research, which can be consulted in his public notice, explains how vulnerability is activated during the Telnet protocol option negotiation phase, even before a login notice is shown to the user.
One aspect that increases the risk is that the operation does not require additional credentials or interaction: it is enough to open a TCP connection to port 23 and send the malformed data during the handshake. Since in many telnetd facilities it is run with root permissions under demons such as inetd or xinetd, a successful exploitation can give the attacker total control of the affected system. This facilitates post-operation actions such as the installation of persistent back doors, exfiltration of information or lateral movement within a compromised network.
The very technical description in the GNU community listings reflects that the error occurs when the SLC handler processes multiple "triplets" within the suboption and ends up writing outside the target buffer, causing memory corruption that can become arbitrary scriptures. The exchange is available in the Inetutils mailing list for more technical context: message in the mailing list.
The news comes just a few weeks after another critical vulnerability in the same component, CVE-2026-24061, which was also catalogued with maximum severity. This previous vulnerability went to active exploitation in real environments according to reports from security agencies, which underlines the need to act quickly in the face of this new failure.
While suppliers work on the patch, risk mitigation recommendations are practical and urgent: if Telnet is not necessary, it is the most prudent thing to disable the service completely. In scenarios where its use is mandatory, it is appropriate to limit the scope of the service, for example by running telnetd with minimum privileges rather than root, restricting access by firewall rules that block port 23 from unreliable networks and isolating access points to Telnet in highly controlled segments. Block port 23 on the perimeter and apply host-level controls reduces the attack surface until the final correction is reached.
For administrators who want to follow the evolution of the problem and get the patch when it is available, it is recommended to monitor the official communications of GNU Inetutils and the technical notice published by the discoverers: Dream's notice provides details on the operating technique and the vectors involved, and entry into the NVD documents the classification and score of vulnerability. Link to Dream analysis: dreamgroup.com - advisory and public reference in the NVD: CVE-2026-32746 in NVD.
This incident recalls that, although technologies such as Telnet are old and in many environments have been replaced by safe alternatives such as SSH, they remain present in embedded systems, inherited network equipment and industrial environments. These environments often present greater difficulty in applying patches and therefore greater exposure. It is therefore key to combine immediate measures (disable unnecessary services and hardening access) with a medium-term plan that includes systematic software updating and migration to more modern and encrypted protocols.
In short, the telnetd vulnerability of GNU Inetutils is a serious risk for its ease of exploitation and the potential for high privileges. Administrators and security officials should act without delay to reduce exposure, monitor official sources to apply the patch by recommending and review the use of Telnet in their infrastructure for safer solutions. For more context on Telnet protocols and their negotiation of options, see the original specification in RFC 854: RFC 854 - Telnet Protocol Specification.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...