So this is a vulnerability related to telntd in GNU inetutils.
GNU inetutils is a collection of basic networking programs provided by the the GNU project. Simply its a package of classic internet tools(client + server programs) used on Unix/Linux systems.
The GNU inetutils telnetd is the telntd implementation provided by the GNU inetutils.
What Are We Scouting For??
This is all about Telnet. So if you haven't heard about it more don't worry lets look into it now.
Telnet is a networking protocol which is used communicating with a remote server over TCP/IP protocol with a command line interface. And it does have authentication which asks for the username and password. But the negative with that is , it does all of this in the form of plain text. Anyone in the network can see the username and password.
Nowadays no one uses Telnet as it is vulnerable. Its been replaced with the SSH(Secure Shell), which completes the job clearly.
What is CVE-2026-32746?
The vulnerability resides in the telnet LINEMODE SLC (Set Linemode Characters) negotiation handler. So this affects all the GNU inetutils, which we can say also affects all the debian distributions. Because every vendor copies/forks the same module into his OS and reuses further. Which makes this attack more severe.
Why Use Telnet?
We know that telnet is vulnerable. Then why use it??. The answer goes to the legacy and critical system which are difficult to migrate. And there might be another question why not simply use SSH. But in reality we cant use SSH on the systems like washing machine or blowers. Cause these use an 8 bit microcontroller. And it is impossible to do all the operations performed by SSH to be done on a 8bit microcontroller.
Deep Dive into Vulnerability:
As we have seen the vulnerability lies in the LINEMODE SLC(Set Linemode Characters).
What is Linemode SLC ??
With line mode enabled for editing it helps for the delayed networks. With the efficient packet transfers that is rather than sending each character it sends a line or stream of characters and enables to edit locally and then transfer the characters. This delayed networks doesn't make any sense now though. As this was as old modification.
You can also refer RFC 1184.
Now lets now see what is negotiation? And How does it work?
For seamless operation, telnet doesn't offer any options in the start between the client and server. So it needs to undergo negotiations to enable those options like echo, backspace or typing speed, etc., So it is done though IAC (Interpret as Command) defined as 0xFF.
The main feature which we are interested in is LINEMODE. And one of the important features in this is SLC (Set Linemode Character) which helps us to specific actions like interrupt or exit which are defined using some special characters.
Lets look into how a negotiation works. Firstly, we connect to a Telnet server via TCP. The server responds as following:
IAC DO LINEMODE
The DO is like requesting the user for the option or feature. And the clients response is with the ' WILL'.
IAC WILL LINEMODE
Once that part of negotiation is done. Then the Telnet subnegotiation packet for LINEMODE, specifically the SLC(Set Local Characters) mechanism.
This is a part of Telnet protocol negotiation, where the client and server agree on how certain control characters behave.
The line:
IAC SB LINEMODE LM_SLC <triplets> IAC SE
(0xFF 0xFA 0x03 <triplets> 0xFF 0xF0)
is a subnegotiation message.
Byte-by-Byte Breakdown:
0xFF → IAC (Interpret As Command)
0xFA → SB (Subnegotiation Begin)
0x03 → LINEMODE option
<triplets> → SLC data (this is the interesting part)
0xFF → IAC
0xF0 → SE (Subnegotiation End)
The Important Part: LM_SLC
Each triplet = 3 bytes: [Function][Flags][Value]
Meaning:
- Function -> what control character(e.g., Ctrl+C, backspace )
- Flags(support level) -> how it should behave
- Value -> actual ASCII / control value
The server will store these values in a global sized array of a fixed size, without checking the bounds.
Yes, this is the vulnerability.