Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE

The GNU InetUtils telnet daemon, a staple of Unix‑like systems for decades, continues to be enabled on many legacy environments despite the rise of SSH. Its simplicity and low overhead make it attractive for embedded devices, network appliances, and certain automation workflows. However, telnet transmits credentials in clear text and operates with privileged system accounts, exposing a broad attack surface. When a critical flaw surfaces, the impact ripples across data centers, cloud instances, and IoT deployments that still expose port 23. Consequently, many organizations still expose it inadvertently.

CVE‑2026‑32746, rated 9.8 on the CVSS scale, exploits an out‑of‑bounds write in the LINEMODE Set Local Characters (SLC) sub‑option handler. By sending a crafted SLC triplet during the initial handshake, an unauthenticated attacker can corrupt memory before any login prompt appears, achieving arbitrary code execution as root. The vulnerability affects every telnetd release up to version 2.7, mirroring the earlier CVE‑2026‑24061 that already saw active exploitation. Because the attack requires only a single TCP connection to port 23, it bypasses traditional credential‑based defenses and can be weaponized at scale.

Enterprises should prioritize remediation of this flaw. Until Dream’s patch arrives—expected by April 1 2026—defense‑in‑depth actions such as disabling telnet, blocking port 23 at network perimeters and host firewalls, and configuring the daemon to run without root privileges can curb exposure. Security and compliance teams must record the vulnerability, evaluate affected assets, and provide evidence of mitigations for audit purposes. The episode highlights that legacy services demand continuous patch management and strict segmentation, as a single unpatched daemon can grant attackers unrestricted root control.