Executive Summary

CVE-2026-32746 is a critical remote pre-authentication buffer overflow vulnerability in the GNU Inetutils telnetd server, specifically in the LINEMODE SLC (Set Local Characters) suboption handler.

The flaw occurs because the add_slc() function appends 3-byte SLC triplets to a fixed 108-byte buffer without checking if there is enough space, leading to an out-of-bounds write when too many triplets are sent.

An attacker can send a specially crafted LINEMODE SLC suboption containing many triplets with function codes greater than 18, causing the buffer to overflow after about 35 triplets.

This overflow corrupts adjacent memory, including pointers, which can then be exploited to perform arbitrary memory writes and ultimately achieve remote code execution with root privileges.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the affected system with root privileges.

Because the telnetd service typically runs as root, exploitation can lead to full system compromise, including complete loss of confidentiality, integrity, and availability.

An attacker can cause denial of service by crashing the telnetd server or take control of the system remotely without any user interaction or prior authentication.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for unusual or malicious telnet LINEMODE SLC suboption negotiation packets. Specifically, an attacker sends a crafted LINEMODE SLC suboption containing 40-50 triplets with function codes greater than 18, which triggers the buffer overflow.

A detection approach involves capturing and analyzing telnet traffic on port 23 to identify LINEMODE negotiations with an excessive number of SLC triplets (more than 35) with function codes above 18.

Suggested commands include using packet capture tools like tcpdump or Wireshark to filter telnet traffic and inspect the SLC suboption payloads:

• tcpdump -i <interface> -s 0 -w telnet_traffic.pcap port 23
• Use Wireshark to open telnet_traffic.pcap and filter for LINEMODE SLC suboptions with many triplets.

Additionally, custom scripts or IDS/IPS rules can be developed to detect telnet packets with LINEMODE SLC suboptions containing an unusually high number of triplets with function codes >18.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling the telnetd service on affected GNU Inetutils versions (up to 2.7) if it is not required, as the vulnerability is exploitable remotely without authentication.

If telnetd must be used, restrict access to the telnet port (23) using firewall rules to limit connections only from trusted hosts or internal networks.

Apply any available patches or updates from the GNU Inetutils project that fix the buffer overflow in the LINEMODE SLC suboption handler.

Monitor logs and network traffic for suspicious LINEMODE negotiation attempts as described in detection steps.

Useful 0 Not Useful 0