A critical Telnet vulnerability with a CVSS rating of 9.8 enables attackers to take full control of affected systems before authentication even kicks in, security researchers at Dream Security have warned.
Tracked as CVE-2026-32746, the vulnerability is in GNU inetutils telnetd, is a widely deployed implementation of the Telnet remote access protocol found across legacy infrastructure, networking equipment, and embedded systems. The protocol has largely been replaced by SSH (Secure Shell) in modern environments since the early 2000s.
In systems that still run the vulnerable Telnet service, the newly disclosed flaw allows an out-of-bounds write stemming from a buffer overflow issue, which can enable unauthenticated remote code execution (RCE) as root.
The root cause is a buffer overflow in the telnetd LINEMODE Set Local Characters (SLC) handler triggered during Telnet protocol negotiation, according to the National Vulnerability Database entry for the flaw. Because the vulnerability can be exploited before authentication, attackers can execute arbitrary code immediately after establishing a connection using specially crafted messages.
In many deployments, telnetd runs with root privileges, meaning successful exploitation can result in full system compromise, Dream said.
Dream informed GNU Inetutils maintainers of the flaw on March 11, describing how the buffer overflow could be exploited.
“The SLC response is built in a fixed 108-byte buffer, slcbuf, with only 104 bytes used for data after a 4-byte header. The function add_slc() (lines 162-175) appends 3 bytes per SLC triplet but never checks whether the buffer is full. The pointer slcptr is just incremented each time,” the company told the maintainers, according to a message to a GNU mailing list.
“After about 35 triplets […], the 104-byte space is exceeded and the code writes past the end of slcbuf. That corrupts whatever lies after it in BSS (including the slcptr pointer). Later, end_slc() uses the corrupted slcptr to write the suboption end marker, which gives the attacker an arbitrary write in memory. So the bug is a classic buffer overflow with no bounds check,” the message continued.
The maintainers prepared a patch the next day, making plans to release it by April 1, according to a timeline in Dream’s advisory.
Vulnerable systems include embedded systems and IoT devices with an exposed Telnet interface; servers and appliances that listen on TCP port 23 and use the vulnerable codebase, and Linux distributions that ship inetutils and leave telnetd enabled or installable, including Debian, Ubutnu, RHEL and SUSE, Dream said.
“A single network connection to port 23 is sufficient to trigger the vulnerability. No credentials, no user interaction, and no special network position are required,” it said.
Dream advised a number of immediate workarounds until the software can be patched, including migrating to secure alternatives such as SSH and disabling telnetd or running it without root privileges. Where that’s not possible, it advised blocking port 23 at the network perimeter and restricting its use to trusted hosts.
This is the second Telnet-related flaw to surface this year, following athe discovery in January of an authentication bypass bug that exposed devices to complete takeover.