Researchers warn of unpatched, critical Telnetd flaw affecting all versions

A critical buffer-overflow vulnerability (CVE-2026-32746, CVSS 9.8) in GNU InetUtils telnetd allows unauthenticated remote attackers to execute code as root via the LINEMODE SLC negotiation; the flaw affects all versions up to 2.7, can be triggered by a single connection to port 23, and places Linux distributions, IoT devices, and legacy OT/ICS systems at high risk. Researchers advise disabling Telnet, blocking port 23, enabling network monitoring and applying the forthcoming patch expected by April 1, 2026.