A critical out-of-bounds write in the GNU telnet daemon allows remote attackers to potentially execute arbitrary code or cause a denial of service on affected systems.

The add_slc function in the telnet daemon does not verify if the internal buffer is full before writing data during the Set Local Characters (SLC) negotiation. This allows a remote, unauthenticated attacker to overflow the buffer and overwrite adjacent memory locations.

Because telnetd often runs with elevated privileges, an out-of-bounds write can lead to full system compromise. The CVSS score of 9.8 indicates a high degree of exploitability and impact. Successful exploitation could result in unauthorized access to legacy systems, data theft, or persistent presence within the network environment.

Immediate Action: Disable the telnet service immediately and migrate to secure alternatives like SSH. If telnet must be used, apply the latest security patches from the GNU project.

Proactive Monitoring: Audit system logs for crashes in the telnetd process and monitor network traffic for unusual telnet negotiation sequences.

Compensating Controls: Use network isolation or VPNs to restrict telnet access to trusted administrative hosts only, and employ an Intrusion Detection System (IDS) to flag malformed telnet packets.

Public Exploit Available: false

The use of telnet is generally discouraged due to its lack of encryption. This vulnerability provides a critical reason to finally decommission any remaining telnet infrastructure. If decommissioning is not possible, the GNU inetutils package must be updated to a patched version immediately to mitigate the risk of remote code execution.