Description
telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.
Published: 2026-03-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

telnetd in GNU inetutils up to version 2.7 contains an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not verify that the buffer is full. This flaw can allow a remote attacker to corrupt memory, potentially leading to arbitrary code execution on the host running telnetd.

Affected Systems

The vulnerability affects the telnet daemon component of GNU inetutils, specifically versions up to and including 2.7. Any deployment that uses this version of inetutils and exposes the telnet service is impacted. Exact affected subcomponents are listed as the telnet daemon handler for the LINEMODE SLC suboption.

Risk and Exploitability

The flaw has a CVSS score of 9.8, indicating critical severity. The EPSS score is below 1%, suggesting it has not yet been widely exploited in the wild. It is not listed in CISA’s KEV catalog. The likely attack vector is a remote network client connecting to telnet over TCP, wherein the attacker sends crafted SLC commands to trigger the out-of-bounds write. No workaround is provided, so the risk remains until the software is updated.

Generated by OpenCVE AI on March 18, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GNU inetutils to a version newer than 2.7 that contains the fix for the out-of-bounds write.
  • If an upgrade cannot be performed immediately, disable the telnet service entirely or block port 23 in your firewall to prevent remote access.
  • Verify the running version of inetutils after applying the update to confirm the vulnerability is no longer present.
  • Monitor incoming connections to the telnet port for suspicious activity and enforce strict access controls when possible.

Generated by OpenCVE AI on March 18, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4527-1 inetutils security update
Debian DSA Debian DSA DSA-6193-1 inetutils security update
History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Write in GNU Inetutils telnetd LINEMODE SLC Handler

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
References

Sun, 15 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu inetutils
CPEs cpe:2.3:a:gnu:inetutils:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu inetutils

Fri, 13 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gnu Inetutils
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T13:13:55.238Z

Reserved: 2026-03-13T17:15:14.405Z

Link: CVE-2026-32746

cve-icon Vulnrichment

Updated: 2026-03-14T02:55:48.456Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:10.147

Modified: 2026-03-23T14:16:33.017

Link: CVE-2026-32746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:43Z

Weaknesses