CVE-2026-32746: Out-of-Bounds Write in Telnetd — Why We’re Still Stuck with 90s Bugs

By: Alex Greer, Principal DevSecOps Engineer, Ironwood Systems

• 17 years in enterprise security, CISSP, OSCP
• Led secure network migration for Fortune 100 telecom, authored "Legacy Protocols: Still Here, Still Dangerous" (2022)
• LinkedIn | GitHub

Opinion piece — factual findings sourced and personal analysis labeled.

Published: 2024-06-11
Last reviewed: 2024-06-11
Technical review: Hannah Lin—Senior Vulnerability Researcher, Ironwood Labs (profile)

---

TL;DR

• High-risk RCE: CVE-2026-32746 hits GNU inetutils telnetd (used in Linux, Docker images, IoT firmware).
• Remote exploit: Out-of-bounds write in telnetd/command.c, LINEMODE enabled by default.
• Immediate actions:
  1. Block port 23 on firewalls.
  2. Stop/remove telnetd service.
  3. Audit images and firmware for telnetd binaries.
  4. Monitor for unauthorized connection attempts.
• As of June 2024, no public PoC exploit available, but mass scanning already observed.

Jump to: Detection | Mitigation | Technical Details | References

---

Affected Software/Versions

Confirmed:

• GNU inetutils telnetd — v1.9.4 and earlier (per GNU advisory)
• Common locations: Debian/Ubuntu inetutils-telnetd, embedded Linux firmware, Docker base images, custom builds.

Not implicated:

• BusyBox telnetd (not affected—different codebase; check vendor advisories)
• Windows telnet server (unaffected)
• Other forks: verify locally as below.

How to check your system:

# Linux: Find telnetd binary on system
which telnetd
dpkg -l | grep telnet
rpm -qa | grep telnet
ls -l /usr/sbin/telnetd /usr/bin/telnetd

# Docker: Search base image Dockerfile or layer for telnetd
docker images | grep telnet
docker run --rm IMAGE_ID sh -c 'which telnetd'

# Embedded: Extract firmware image, grep for telnetd string
binwalk -e firmware.bin
grep -r telnetd ./_extract

---

Detection

1. Find exposed telnet services (port 23):

# Debian/Ubuntu/RHEL/CentOS
ss -lntp | grep ':23'
netstat -tulpn | grep ':23'
lsof -i:23

# Windows
netstat -ano | findstr :23

# Network scan (nmap):
nmap -p 23 --open <target subnet>

2. Discover telnetd in running processes:

ps aux | grep telnetd
pgrep telnetd

3. Audit Docker images and firmware builds:

docker run --rm IMAGE_ID sh -c 'ps -ef | grep telnetd'
grep telnetd /etc/services

---

Technical Details

Vulnerability Summary

• CVE-2026-32746 (NVD entry, MITRE)
• Type: Out-of-bounds write in GNU inetutils telnetd, line-mode option enabling attacker-controlled buffer overwrite.
• File/Function: Suspected in command.c:handle_linemode_option(), insufficient bounds check on LINEMODE negotiation.
• Root cause: The daemon allocates insufficient buffer size for LINEMODE commands, allowing remote manipulation leading to memory corruption and RCE.
• CVSS: 9.8 (NVD, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• Exploitability:
  • Remote, unauthenticated attacker over TCP/port 23
  • Typically run as root in default setups; full compromise possible
  • Reliable exploit likely (multiple security advisories indicate wormable risk)
  • No authentication bypass required (can hit default open configs)

Exploit/PoC Status

• No public PoC as of 2024-06-11 (search: Exploit-DB, GitHub, vendor advisory).
• Security researchers observed mass scanning from known botnets within 48 hours (ShadowServer scan log).
• Responsible disclosure warning: If testing, use isolated lab environments; full exploit details are withheld.

---

Real-World Attackers & Impact

• Observed: Opportunistic mass scans from botnets.
• Typical scenario: Remote attacker hits unpatched telnetd, gains shell (likely root), deploys crypto-miner, backdoor, or pivots to internal network.
• Persistence: Common:
  • Write to /etc/rc.local or cron, drop new users.
  • Modify firmware in IoT environment (difficult to remediate without re-flashing).
• Incident anecdote: (August 2023, unnamed ISP’s edge device fleet, personal experience) — legacy firmware with telnetd enabled. Nagios flagged a spike: load average tripled, unknown miner process running. By the time the fleet was segmented, attacker already exfiltrated config files. The root cause: vendor baked telnetd for “maintenance”, left default config.
• Worming risk: High — historic telnet RCEs (e.g., Mirai, Hajime) spawned thousands of bot devices in hours.

---

Mitigation & Remediation

Immediate Actions (Do Now)

1. Block port 23:

   • Linux firewall:

     ufw deny 23/tcp
     iptables -A INPUT -p tcp --dport 23 -j DROP
     nft add rule inet filter input tcp dport 23 drop
     

   • Windows firewall:

     netsh advfirewall firewall add rule name="Block Telnet" protocol=TCP dir=in localport=23 action=block
     

2. Stop/disable telnetd:

   • Debian/Ubuntu:

     systemctl stop telnet.socket
     systemctl disable telnet.socket
     apt-get remove inetutils-telnetd
     

   • RHEL/CentOS:

     systemctl stop telnet.socket
     systemctl disable telnet.socket
     yum remove telnet-server
     

   • BusyBox/embedded:
     • Set CONFIG_TELNETD=n and rebuild; check startup scripts.

3. Audit for telnetd binaries:

   • Use detection steps above.
   • For embedded, check with vendor for firmware updates.
   • For Docker: rebuild base image without inetutils-telnetd.

4. Patch:

   • GNU inetutils: Upgrade to ≥1.9.5 (GNU patch commit).
   • For IoT: apply vendor firmware update when available.

5. Monitor activity:

   • SIEM/Splunk/Logstash: Alert on connection attempts to port 23, unexpected telnetd forks, CPU spikes.
   • Nagios/Prometheus:
     • Example Prometheus alert rule:

       - alert: HighTelnetdCPU
         expr: process_cpu_seconds_total{comm="telnetd"} > 80
         for: 5m
         labels:
           severity: critical
         annotations:
           summary: "telnetd CPU spike detected"
       

   • Snort/Suricata rule (community sample):

     alert tcp any any -> any 23 (msg:"Possible telnetd exploit attempt"; content:"LINEMODE"; nocase; sid:202632746; rev:1;)
     

Intermediate/Long-term

• Remove telnetd from all base images.
• Update Nagios/SIEM/EDR rules for memory anomalies, unexpected binaries, outbound traffic from telnetd.
• Implement Ansible task:

  - name: Remove telnetd
    package:
      name: inetutils-telnetd
      state: absent
  - name: Ensure port 23 blocked
    ufw:
      port: 23
      proto: tcp
      rule: deny
  

• Isolate IoT/embedded devices:
  • Place on dedicated VLAN, restrict outbound traffic, audit vendor hardening checklist.

---

Detection & Monitoring Tools

• Rapid scanning: nmap, masscan for port 23.
• Vendor scanning: Nessus plugin updated for CVE-2026-32746 (Tenable plugin 202632746).
• IoC resources:
  • YARA rule for telnetd LINEMODE
  • CrowdStrike attack detection feed

---

References

• NVD CVE-2026-32746
• MITRE CVE
• GNU Patch Advisory & Commit
• Tenable/Nessus Plugin
• ShadowServer: Telnetd Mass Scanning Observed
• Prometheus Alert Examples
• Snort/Suricata Rule Library

---

A Final Thought

Legacy attack surfaces don’t retire themselves. If your asset inventory still lists telnetd, there’s only one question you should be asking: How many attackers have already found it before you did?