A critical security vulnerability has been disclosed in the telnetd component of GNU inetutils, affecting all versions through 2.7. Tracked as CVE-2026-32746 and assigned a CVSS score of 9.8 (Critical), this flaw represents one of the most severe remotely-exploitable vulnerabilities disclosed this quarter.
Vulnerability Overview
The vulnerability is an out-of-bounds (OOB) write in the LINEMODE SLC (Set Local Characters) suboption handler of telnetd. The root cause lies in the add_slc() function, which fails to verify whether the internal buffer has reached capacity before writing additional data. An attacker can exploit this by sending specially crafted LINEMODE SLC suboption data to the Telnet service, overwriting adjacent memory and potentially achieving arbitrary code execution.
CVSS 3.1 Breakdown
The vulnerability received the highest possible severity ratings across all metrics:
- Attack Vector: Network — exploitable remotely without physical access
- Attack Complexity: Low — no special conditions or race windows required
- Privileges Required: None — no authentication needed
- User Interaction: None — fully automated exploitation possible
- Confidentiality Impact: High — sensitive data exposure
- Integrity Impact: High — arbitrary data modification
- Availability Impact: High — complete denial of service
Technical Analysis
The add_slc() function within the telnetd LINEMODE implementation appends SLC (Set Local Characters) entries into a fixed-size buffer. However, the function does not perform any bounds checking prior to the write operation. When a malicious client sends an excessive number of SLC entries within a single LINEMODE negotiation sequence, the buffer overflows, corrupting adjacent stack or heap memory.
"The lack of a simple bounds check in add_slc() creates a textbook buffer overflow condition. Given that telnetd often runs with elevated privileges, the impact of successful exploitation is catastrophic." — QuantNest Radar Threat Research
Because the Telnet protocol operates in plaintext and the exploit requires zero authentication, any internet-exposed telnetd instance running GNU inetutils ≤ 2.7 is immediately at risk.
Affected Systems
The following environments are confirmed vulnerable:
- Any Linux distribution shipping GNU inetutils through version 2.7 with telnetd enabled
- Debian, Ubuntu, and derivative distributions using the
inetutils-telnetdpackage - Embedded systems and IoT devices running legacy Telnet daemons based on GNU inetutils
- Legacy infrastructure in healthcare, manufacturing, and government sectors still relying on Telnet for remote management
Remediation and Mitigation
Organizations should take immediate action to reduce their exposure:
- Patch immediately: Update GNU inetutils beyond version 2.7. Monitor your distribution's security advisory channels for the patched package release.
- Disable telnetd: If Telnet is not operationally critical, disable or remove the service immediately. Run
systemctl stop telnet.socket && systemctl disable telnet.socketon systemd-based systems. - Restrict network access: If telnetd must remain active, restrict access to port 23 using firewall rules (e.g.,
iptablesor security groups), allowing connections only from trusted internal hosts. - Migrate to SSH: Replace all Telnet usage with SSH, which provides encrypted communications and stronger authentication mechanisms.
- Monitor for exploitation: Watch for unusual LINEMODE SLC suboption negotiation patterns in network traffic captures and IDS/IPS logs. Anomalous bursts of SLC data to port 23 should trigger immediate investigation.
Indicators of Compromise
Security teams should monitor for the following anomalies:
- Unusually large or malformed LINEMODE SLC suboption sequences in Telnet traffic
- Unexpected crashes or segmentation faults in the
telnetdprocess - Unauthorized process spawning or reverse shell connections originating from the telnetd parent process
- Suspicious modifications to system files or creation of new user accounts following Telnet activity
QuantNest will continue tracking this vulnerability and update this advisory as vendor patches become available and additional exploitation intelligence emerges.
