Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23

A critical pre-auth remote code execution vulnerability (CVE-2026-32746, CVSS 9.8) has been disclosed in GNU InetUtils telnetd (<= 2.7); an attacker can trigger an out-of-bounds write during Telnet LINEMODE SLC option negotiation to achieve arbitrary code execution as root without authentication. Dream recommends disabling Telnet if unnecessary, running telnetd without root where required, blocking port 23, and isolating Telnet access while a fix (expected by April 1, 2026) is developed.