CVE-2026-32746 is a classic buffer overflow vulnerability categorized under CWE-120, affecting the telnetd daemon in GNU inetutils versions through 2.7. The vulnerability stems from the add_slc function, which handles the LINEMODE SLC (Set Local Characters) suboption in the telnet protocol. Specifically, add_slc does not verify whether the buffer it writes to is full before performing a write operation, resulting in an out-of-bounds memory write. This unchecked buffer copy can corrupt adjacent memory, potentially allowing remote attackers to execute arbitrary code or cause a denial of service by crashing the telnetd process. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, making it highly dangerous. The CVSS 3.1 base score of 9.8 reflects its critical severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently known, the vulnerability's nature and telnet's widespread historical use in legacy systems make it a significant threat. The lack of available patches at the time of disclosure necessitates immediate mitigation steps by administrators. Given telnet's declining use in favor of SSH, the exposure is somewhat limited but still relevant in environments where telnet remains active, such as embedded systems, legacy infrastructure, or certain industrial control systems.

The impact of CVE-2026-32746 is severe for organizations worldwide that run GNU inetutils telnetd services, particularly on legacy or embedded systems where telnet remains in use. Successful exploitation can lead to remote code execution, allowing attackers to gain unauthorized control over affected systems. This compromises confidentiality by potentially exposing sensitive data, integrity by allowing modification or corruption of system files and processes, and availability by causing service crashes or denial of service. The vulnerability requires no authentication or user interaction, increasing the risk of automated exploitation and wormable attacks. Organizations relying on telnet for remote management or legacy application support face elevated risks of system compromise, lateral movement, and persistent footholds. Critical infrastructure, industrial control systems, and government networks using GNU inetutils telnetd are particularly vulnerable. The absence of known exploits in the wild currently limits immediate widespread impact, but the high severity score and ease of exploitation necessitate urgent remediation to prevent future attacks.

To mitigate CVE-2026-32746, organizations should immediately assess their use of GNU inetutils telnetd and disable the telnet service where possible, replacing it with more secure alternatives such as SSH. If telnetd usage is unavoidable, restrict access to trusted networks using firewall rules and network segmentation to minimize exposure. Monitor network traffic for unusual telnet activity that could indicate exploitation attempts. Apply vendor patches or updates as soon as they become available; in the absence of official patches, consider applying community-developed patches or backported fixes from trusted sources. Conduct thorough code audits and testing if custom builds of inetutils are used. Employ runtime protections such as Address Space Layout Randomization (ASLR), stack canaries, and non-executable memory regions to reduce exploitation success. Regularly update intrusion detection and prevention systems with signatures related to this vulnerability. Finally, maintain comprehensive incident response plans to quickly address any detected exploitation attempts.