Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
Initial publication. Dream Security disclosed CVE-2026-32746 on March 11, 2026. Censys identified approximately 3,362 exposed internet-facing hosts as of March 18. watchTowr Labs has since published a broader analysis showing the vulnerable SLC handler code spread across FreeBSD, NetBSD, Citrix NetScaler, TrueNAS Core, and other platforms. No patch is available; fix expected by April 1, 2026.
Changelog
| Date | Summary |
|---|---|
| 24 Mar 2026 | Initial publication covering CVE-2026-32746, Dream Security advisory, and watchTowr Labs follow-up analysis. |
A pre-authentication remote code execution vulnerability in GNU InetUtils telnetd is sitting unpatched. Any internet-facing telnet service running GNU InetUtils through version 2.7 is exposed right now.
What the vulnerability is
CVE-2026-32746 is an out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler inside telnetd. During the Telnet protocol handshake, the SLC handler negotiates terminal options with the connecting client. The bug triggers when a crafted SLC suboption containing many triplets is sent during that negotiation phase.
The result is a heap buffer overflow. The overflow corrupts memory, enables arbitrary writes, and under the right conditions leads to remote code execution. Because telnetd typically runs as root – launched via inetd or xinetd – successful exploitation means full system compromise.
The critical detail: the SLC negotiation happens before the login prompt. An attacker does not need credentials. A single TCP connection to port 23 is sufficient to trigger the flaw.
Israeli cybersecurity company Dream discovered and reported the vulnerability on March 11, 2026. The CVSS score is 9.8 out of 10.0.
What is affected
All versions of the GNU InetUtils telnet daemon through 2.7 are affected, according to Dream’s advisory.
watchTowr Labs followed up with a broader analysis showing the vulnerable code has spread across a wide range of platforms: FreeBSD, NetBSD, Citrix NetScaler, Haiku, TrueNAS Core, uCLinux, libmtev, and DragonFlyBSD. The underlying SLC handler code has been reused and modified across these systems, particularly in legacy and embedded environments.
As of March 18, 2026, attack surface management platform Censys identified approximately 3,362 internet-exposed hosts running a vulnerable telnetd instance.
watchTowr notes that while reliable remote code execution is difficult and environment-specific, the vulnerability can facilitate memory corruption, pointer leaks, and arbitrary writes. The exact impact varies depending on how the code has been modified in each downstream platform.
Why no patch changes everything
A patch is expected by April 1, 2026, according to Dream. Until then, there is no fix available from the GNU InetUtils project.
This matters because CVE-2026-32746’s predecessor – CVE-2026-24061, another critical flaw in GNU InetUtils telnetd with a CVSS score of 9.8 – was disclosed in January 2026 and has since come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency. That pattern should inform how urgently you treat this one.
What to do now
There is no patch to apply. The mitigations are operational:
Disable telnetd entirely if it is not actively required. Telnet sends credentials in cleartext and has no legitimate role on any modern internet-facing host.
Block port 23 at the network perimeter and at the host-based firewall level. If telnet access is genuinely needed internally, restrict it to specific source IPs with explicit firewall rules. Do not leave port 23 reachable from the internet.
Do not run telnetd as root. If you cannot disable the service, drop privileges. Running as a non-root user limits the blast radius of a successful exploit, though memory corruption primitives can still be dangerous regardless.
Audit your exposure. Check whether any of the affected platforms – FreeBSD, NetBSD, NetScaler, TrueNAS Core – are running telnetd in your environment, including embedded or legacy systems that may not be on your primary asset list.
The Censys figure of 3,362 exposed hosts is likely conservative. Legacy and embedded systems are the hardest to enumerate and the slowest to patch. If you manage infrastructure that includes any of those platforms, check now.
Sources: The Hacker News | Dream advisory | watchTowr Labs analysis | GNU InetUtils bug report | Censys advisory