A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils CVE-2026-32746)

14 points by hugoarnal

dmbaturin

That's a really good analysis post.

Tangentially, however... I found it incredibly annoying how security scanners like Nessus and internal scanners of AWS and friends went absolutely crazy about any system that had anything built from the inetutils source package, because those scanners are too stupid to understant that the telnet client and the telnet server parts reside in different binary packages in most distros, and the client package is not vulnerable. That was a massive waste of time. Especially with AWS that was just saying "your image is vulnerable", to some unspecified problem.

fanf

Wait, this is different from January’s bug?!

https://www.openwall.com/lists/oss-security/2026/01/20/2

https://www.openwall.com/lists/oss-security/2026/03/12/5

k749gtnc9l3w

Indeed, the new one is memory corruption via buffer overflow (before the authentication starts), the January one is about shell parameter splitting in unexpected places in case of questionable DNS responses when doing IP-to-hostname lookup for the client.

I guess discussion of old vulnerabilities in XYZ brings more attention to XYZ, especially to the old bugs that could be only half-fixed. Here the server-to-client attack was found and fixed twenty years ago, and now attention that telnetd received my have prompted someone to read old security bugs and notice this…

GhostFacedOOMKiller

I'm old enough to know that RISC was far more than a distant dream in 1994 - except in movies.