Critical GNU InetUtils telnetd RCE via SLC Overflow
🚨 A critical out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler of GNU InetUtils telnetd (CVE-2026-32746) enables unauthenticated remote attackers to achieve remote code execution as root. Discovered by Dream on March 11, 2026, the flaw affects releases through 2.7 and carries a CVSS score of 9.8. Exploitation can succeed during the initial Telnet handshake with a single connection to port 23; no credentials or user interaction are required. A patch is expected by April 1, 2026; until then, disable Telnet, avoid running telnetd as root, and block port 23.
