Critical Remote Code Execution Vulnerability (CVE‑2026‑32746) in GNU inetutils telnetd 2.7 Allows Pre‑Auth Root Takeover
What Happened – A buffer‑overflow in the LINEMODE SLC handler of GNU inetutils telnetd 2.7 (CVE‑2026‑32746) enables an unauthenticated attacker to execute arbitrary code as root before any login prompt. The flaw is triggered by sending a crafted LINEMODE SLC sub‑option containing more than 40 triplets, overflowing a 108‑byte static buffer.
Why It Matters for TPRM –
- Pre‑auth RCE on a service that typically runs with elevated privileges can compromise any host that exposes telnet.
- Many legacy and IoT devices still ship telnetd; a single vulnerable instance can become a foothold for lateral movement across a supply chain.
- The vulnerability carries a CVSS 9.8 score, indicating a critical risk that must be addressed immediately in third‑party environments.
Who Is Affected – Enterprises and service providers that run GNU inetutils telnetd ≤ 2.7 on Linux/Unix systems, including MSPs, cloud‑hosted VMs, network‑equipment vendors, and any organization exposing telnet to untrusted networks.
Recommended Actions –
- Verify whether telnetd 2.7 or earlier is present on any asset; inventory all systems exposing port 23.
- Apply the upstream patch (PR #17) or upgrade to inetutils ≥ 2.8 where the flaw is fixed.
- If immediate patching is not possible, block inbound telnet traffic at the perimeter and enforce network segmentation.
- Conduct a post‑remediation scan to confirm the vulnerability is mitigated.
Technical Notes – The flaw resides in add_slc() (telnetd/slc.c) which writes 3 bytes per SLC triplet into a fixed 108‑byte buffer without bounds checking. Exploitation results in corruption of the slcptr pointer and a subsequent out‑of‑bounds write, leading to full pre‑authentication remote code execution as root. CVE‑2026‑32746 has a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Source: Exploit‑DB 52556