Security researchers have found a critical, pre-authentication remote code execution flaw in the telnetd server in GNU Inetutils that allows any unauthenticated attacker to seize full root control of a machine with a single network connection — no login, no user interaction, no warning in the logs.
The vulnerability, tracked as CVE-2026-32746 and rated 9.8 out of 10 on the CVSS severity scale, was discovered by the Dream Security research team and disclosed to the maintainers of GNU Inetutils on March 11, 2026.
It affects all versions of GNU Inetutils through 2.7, including the current development branch, and may also affect any Telnet server derived from the original BSD codebase that carries the same SLC implementation.
The flaw sits in the server's LINEMODE SLC handler — the code responsible for negotiating terminal control-key mappings in the opening milliseconds of a Telnet session, well before any login prompt appears. Because the vulnerable code runs during connection setup, not after authentication, the attack requires nothing from the victim. A remote attacker needs only to reach TCP port 23.
At the heart of the bug is a fixed 108-byte buffer, slcbuf, in telnetd/slc.c. The function add_slc() appends a three-byte reply for every unrecognised SLC function code it receives, but contains no check on whether the buffer has space remaining.
An attacker who sends a crafted LINEMODE suboption carrying 40 or more triplets — each just three bytes — will push writes past the buffer's boundary after roughly the 35th entry, corrupting adjacent memory. The overwritten pointer is subsequently used by end_slc() to write a terminator byte, giving the attacker a controllable, arbitrary write in memory and a clear path to code execution as root.
Dream Security describes the consequence as total host compromise. Because telnetd typically runs under inetd or xinetd with root privileges, a successful exploit opens the door to installing persistent backdoors, exfiltrating sensitive data, and using the compromised host as a pivot point for deeper network intrusion — all from a single unauthenticated connection.
What makes the vulnerability particularly dangerous is its reach beyond conventional server infrastructure. Telnet remains embedded in industrial control systems, programmable logic controllers, SCADA platforms, and government network appliances — environments where replacing legacy protocols is often prohibited by cost, operational risk, or the absence of vendor support for hardware that predates SSH.
In those sectors, a successful exploit does not merely mean a compromised server; it can mean an attacker holding root access to the systems that run power grids, water treatment facilities, or manufacturing lines.
The exposure extends across major Linux distributions, including Debian, Ubuntu, RHEL, and SUSE, all of which ship inetutils. Embedded and IoT devices that expose port 23 for management are equally at risk.
Critically, because exploitation occurs during option negotiation rather than at the login stage, standard authentication logs — including /var/log/auth.log — will show nothing. An attack that succeeds leaves no fingerprint in the places most administrators look first.
Dream Security is recommending that administrators disable telnetd immediately where it is not operationally essential, calling the measure mandatory rather than advisory until a patched release ships.
For environments where Telnet cannot be disabled, the researchers advise blocking port 23 at the perimeter firewall, restricting access to known trusted IP ranges, and enabling firewall-level connection logging, with logs shipped off-host to prevent tampering after a root-level compromise.
On the detection side, deploying a Snort or Suricata IDS signature to alert on LINEMODE SLC suboptions carrying payloads larger than 90 bytes will identify exploitation attempts before they complete.
The response from the GNU Inetutils project was swift. Maintainer Collin Funk confirmed the finding and submitted a fix via pull request the day after the report was filed.
Project owner Simon Josefsson approved the patch the same day and has committed to a public release no later than April 1, 2026. The CVE was formally assigned and published on March 13, 2026. No confirmed exploitation in the wild had been reported at the time of publication.
The vulnerability was discovered and reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, and Daniel Lubel of the Dream Security Research Team.