CVE-2026-32746
Out-of-Bounds Write in GNU inetutils telnetd LINEMODE Handler
Publication date: 2026-03-13
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnu | inetutils | to 2.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32746 is a critical remote pre-authentication buffer overflow vulnerability in the GNU Inetutils telnetd server, specifically in the LINEMODE SLC (Set Local Characters) suboption handler.
The flaw occurs because the add_slc() function appends 3-byte SLC triplets to a fixed 108-byte buffer without checking if there is enough space, leading to an out-of-bounds write when too many triplets are sent.
An attacker can send a specially crafted LINEMODE SLC suboption containing many triplets with function codes greater than 18, causing the buffer to overflow after about 35 triplets.
This overflow corrupts adjacent memory, including pointers, which can then be exploited to perform arbitrary memory writes and ultimately achieve remote code execution with root privileges.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the affected system with root privileges.
Because the telnetd service typically runs as root, exploitation can lead to full system compromise, including complete loss of confidentiality, integrity, and availability.
An attacker can cause denial of service by crashing the telnetd server or take control of the system remotely without any user interaction or prior authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for unusual or malicious telnet LINEMODE SLC suboption negotiation packets. Specifically, an attacker sends a crafted LINEMODE SLC suboption containing 40-50 triplets with function codes greater than 18, which triggers the buffer overflow.
A detection approach involves capturing and analyzing telnet traffic on port 23 to identify LINEMODE negotiations with an excessive number of SLC triplets (more than 35) with function codes above 18.
Suggested commands include using packet capture tools like tcpdump or Wireshark to filter telnet traffic and inspect the SLC suboption payloads:
- tcpdump -i <interface> -s 0 -w telnet_traffic.pcap port 23
- Use Wireshark to open telnet_traffic.pcap and filter for LINEMODE SLC suboptions with many triplets.
Additionally, custom scripts or IDS/IPS rules can be developed to detect telnet packets with LINEMODE SLC suboptions containing an unusually high number of triplets with function codes >18.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the telnetd service on affected GNU Inetutils versions (up to 2.7) if it is not required, as the vulnerability is exploitable remotely without authentication.
If telnetd must be used, restrict access to the telnet port (23) using firewall rules to limit connections only from trusted hosts or internal networks.
Apply any available patches or updates from the GNU Inetutils project that fix the buffer overflow in the LINEMODE SLC suboption handler.
Monitor logs and network traffic for suspicious LINEMODE negotiation attempts as described in detection steps.