Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New
| Date | Update |
|---|---|
| 18 Mar 2026 | Censys data from March 18, 2026 puts the number of exposed hosts at approximately 3,362. watchTowr Labs has since confirmed the vulnerable code extends well beyond GNU InetUtils - FreeBSD, NetBSD, Citrix NetScaler, TrueNAS Core, uCLinux, Haiku, li… |
Changelog
| Date | Summary |
|---|---|
| 24 Mar 2026 | Initial publication covering CVE-2026-32746, affected systems, and mitigations. |
A single TCP connection to port 23 is enough to get root on a vulnerable server. No credentials. No user interaction. No special network position. The vulnerability is triggered during the initial protocol handshake – before any login prompt appears.
That’s CVE-2026-32746, a CVSS 9.8 buffer overflow in the GNU InetUtils telnet daemon (telnetd). There is no patch yet.
The Flaw
The bug lives in the LINEMODE Set Local Characters (SLC) suboption handler – the code that processes option negotiation during the Telnet protocol handshake. An attacker can send a specially crafted SLC suboption with an excessive number of triplets, triggering an out-of-bounds write that corrupts memory and can be turned into arbitrary code execution.
Because this happens during option negotiation rather than after authentication, the entire authentication layer is irrelevant. By the time the server would ask who you are, you’ve already won.
Israeli cybersecurity firm Dream discovered and reported the flaw on March 11, 2026. It affects all versions of the GNU InetUtils telnet daemon through 2.7. A fix is expected no later than April 1, 2026 – but as of publication, nothing is available.
Dream researcher Adiel Sol described the mechanism on the GNU mailing list: the overflow corrupts memory in a way that can be turned into arbitrary writes, and because telnetd typically runs as root under inetd or xinetd, a successful exploit gives complete system control.
Scope
The initial disclosure focused on GNU InetUtils. The real picture is broader. watchTowr Labs found the vulnerable code present in FreeBSD, NetBSD, Citrix NetScaler, Haiku, TrueNAS Core, uCLinux, libmtev, and DragonFlyBSD – a spread that makes sense given how much this code has been reused and modified across platforms over the decades.
watchTowr researchers described the vulnerability’s reach as striking, noting that a large portion of systems running any Telnet server include this vulnerable code.
That said, watchTowr also tempered the exploitation picture: reliable remote code execution is difficult and environment-specific. Memory corruption, pointer leaks, and arbitrary writes are achievable in some configurations. The exact impact varies by platform, and the underlying code has diverged significantly across legacy and embedded environments. The worst-case outcome is full system compromise. The realistic outcome depends heavily on the target.
As of March 18, Censys identified approximately 3,362 internet-exposed hosts running a vulnerable telnetd.
Prior Art
This isn’t the first rodeo for GNU InetUtils telnetd in 2026. CVE-2026-24061, also carrying a CVSS score of 9.8, was disclosed earlier this year and has since come under active exploitation – enough that CISA added it to its Known Exploited Vulnerabilities catalog. watchTowr also notes a historical parallel: CVE-2005-0469, a client-side vulnerability from 2005, affects the same SLC handling code on the Telnet client side.
The pattern here is a codebase that’s been copied and embedded across systems for 30+ years, carrying the same bugs with it.
What to Do
No patch exists yet. In the meantime:
Disable it if you can. Telnet has no business being internet-facing in 2026. If you’re running it because something legacy requires it, that’s a separate problem worth solving.
Block port 23 at the perimeter. If telnetd must run, it should not be reachable from the public internet. Firewall rules and host-based blocking both apply here.
Run without root if you must keep it running. The worst-case outcome depends on telnetd running as root. Reducing that privilege doesn’t fix the vulnerability but limits the blast radius if it’s hit.
Isolate Telnet access. Segment and restrict who can reach it. A vulnerability that requires a network connection is a vulnerability that can be mitigated with network controls.
Watch for the patch. Dream indicated it’s expected by April 1, 2026. When it lands, deploy it immediately – CVE-2026-24061 went from disclosure to active exploitation in the wild. There’s no reason to assume CVE-2026-32746 won’t follow the same path once a working exploit is more widely available.
If you’re running embedded or legacy systems in the watchTowr list – NetScaler, TrueNAS, FreeBSD derivatives – check with those vendors independently. The patch timeline for GNU InetUtils may not translate to those platforms.