Exploiting a 32-year-old buffer overflow in GNU telnetd (CVE-2026-32746)
2 days ago
- #telnet vulnerability
- #buffer overflow
- #GNU inetutils
- A 32-year-old buffer overflow bug in GNU inetutils telnetd was discovered and weaponized.
- The vulnerability requires no authentication, triggering via TCP connection.
- Exploitation is viable on 32-bit systems via GOT overwrite, but constrained by byte limitations.
- On 64-bit systems, traditional GOT overwrite is impossible due to triplet constraints, but RCE is demonstrated via /proc/PID/mem.
- Telnet remains in use on embedded devices, industrial control systems, and legacy network equipment.
- The bug was introduced in 1994 and replicated across many Telnet implementations.
- Exploitation techniques include amplification, alignment shift, and byte control through change_slc.
- The vulnerability affects various systems, including Linux distributions, BSD variants, and vendor-specific hardware.
- The fix involves adding a single bounds check to the add_slc function.
- Current mitigations include patching, disabling Telnet, or blocking port 23.