CVE-2026-32746: Pre-Auth RCE in GNU inetutils Telnetd Affects Dozens of Systems
A 32-year-old buffer overflow in GNU inetutils Telnetd allows pre-authentication remote code execution, impacting Linux distributions, FreeBSD, NetBSD, Citrix NetScaler, and others.
A critical vulnerability in GNU inetutils Telnetd, tracked as CVE-2026-32746, has been disclosed by the DREAM Security Research Team. The flaw is a pre-authentication BSS-based buffer overflow in the LINEMODE SLC (Set Linemode Characters) negotiation handler, allowing an attacker to corrupt roughly 400 bytes of adjacent variables and achieve remote code execution before authentication. The bug dates back to 1994, making it older than many security researchers.
The vulnerability resides in the Telnet protocol's LINEMODE feature, defined in RFC 1184, which reduces network traffic by processing command lines locally. The overflow occurs during negotiation of SLC settings, which are exchanged via in-band signaling using the IAC (Interpret As Command) byte (0xFF). An attacker can send a crafted sequence of bytes to trigger the overflow, corrupting memory and potentially gaining control of the server.
Affected systems include inetutils-telnetd itself, Ubuntu, Debian, FreeBSD 13 and 15 Port, NetBSD 10.1, Citrix NetScaler, Apple Mac Tahoe, Haiku, TrueNAS Core, uCLinux, libmtev, and DragonFlyBSD. The broad impact stems from many vendors basing their Telnetd implementations on the same GNU inetutils code, often with minimal changes over decades. The patch has been applied to inetutils-telnetd, but forks and downstream projects may lag.
Despite Telnet being largely replaced by SSH, it remains in use on legacy systems, embedded devices, and industrial equipment where migration is impractical. The protocol's plaintext transmission and extensive feature set make it a persistent attack surface. Previous Telnet vulnerabilities, such as CVE-2026-24061 (an environment variable RCE), highlight the risks of maintaining such legacy code.
Exploitation of CVE-2026-32746 is complex due to the need to precisely corrupt adjacent variables without crashing the process. However, the pre-authentication nature means no credentials are required, making it attractive for initial access. The watchTowr Labs analysis notes that while the vulnerability is severe, crafting a reliable exploit requires deep understanding of the target's memory layout.
Administrators are urged to disable Telnetd where possible, apply the patch from inetutils, or restrict access via firewalls. The CVE has not yet been added to CISA's Known Exploited Vulnerabilities catalog, but given the widespread impact and availability of analysis, exploitation may follow. This vulnerability underscores the dangers of long-lived code in network-facing services.