Telnet: Critical vulnerability allows injecting malicious code from the network

IT administrators should absolutely restrict access to their instances of telnetd from GNU Inetutils to trusted machines or replace it with encrypted methods. A newly discovered vulnerability allows attackers from the network to inject and execute arbitrary code without prior authentication.

The security vulnerability has received a vulnerability entry that explains that write access outside of intended memory boundaries is possible in the code for processing the "LINEMODE SLC" (Set Local Characters) option. The add_slc function simply does not check if the buffer is already full (CVE-2026-32746, CVSS 9.8, risk "critical"). GNU Inetutils up to and including version 2.7 are affected – this is currently the latest version from December 2025, which is available for download on the GNU servers. According to the report from the vulnerability discoverers, the current development code in the HEAD branch is also vulnerable at least up to March 11, 2026.

An update to patch the security hole is not yet available. However, the developers are currently planning to release a bug-fixed version on April 1, 2026.

Countermeasures: Shut it down

At least until then, access to the telnet daemon from GNU Inetutils should be restricted, for example using a firewall – by default on port 23/TCP – to absolutely trusted machines. Ideally, however, services should be used for access that do not send their data unencrypted over the network, but encrypted, such as Secure Shell (SSH).

Back in January, a security vulnerability in the telnetd of GNU Inetutils became known. In a trivial manner, attackers could log in as root users and, as with the now-known vulnerability, compromise entire servers.

(dmk)