Zero-Auth Telnetd Flaw Enables Remote Root RCE in GNU InetUtils (CVE-2026-32746)
A critical unauthenticated flaw in GNU InetUtils telnetd (CVE-2026-32746) allows remote code execution with root privileges by sending crafted LINEMODE SLC options during the initial handshake. Affects all versions up to 2.7; a fix is expected by April 1, 2026. Mitigations include disabling telnetd where possible, running it non-root when needed, and blocking or isolating port 23 at network and host levels. The issue follows a previous high-severity telnetd flaw (CVE-2026-24061) and has been noted as actively exploited in the wild per CISA.