CVE-2026-32746: 32-Year-Old Telnetd RCE Threatens Saudi Bank Edges

A buffer overflow that has lived undisturbed in GNU Inetutils Telnetd for 32 years was disclosed on April 30, 2026, as CVE-2026-32746 — a CVSS 9.8 pre-authentication remote code execution flaw. For Saudi financial institutions, the danger is not the protocol itself but the long tail of legacy and embedded systems where Telnetd still listens on port 23 inside branch networks, ATM management VLANs, and edge appliances.

Inside the LINEMODE SLC Buffer Overflow

The vulnerability resides in the add_slc() function in telnetd/slc.c, where each Set Linemode Characters (SLC) triplet appends three bytes into a fixed 108-byte buffer named slcbuf without bounds checking. GNU Inetutils defines 18 valid SLC function codes (the constant NSLC = 18), but when the daemon receives a triplet with a function code above 18 it still calls add_slc() to queue a "not supported" reply. Because slcbuf and the write-position pointer slcptr both live in the BSS segment, an attacker who sends 40 or more triplets with out-of-range function codes corrupts slcptr itself. When end_slc() later writes the suboption end marker through the now-attacker-controlled pointer, it performs an arbitrary write — the launchpad for full RCE.

Why Telnetd Still Matters in Saudi Bank Networks

The instinctive reaction is "we don't run Telnet." That answer almost never survives an asset discovery sweep. CVE-2026-32746 affects all current GNU Inetutils releases through version 2.7, and downstream usage extends to FreeBSD, NetBSD, Citrix NetScaler appliances, TrueNAS Core, DragonFlyBSD, Haiku, and a wide range of embedded and OT firmware. Citrix NetScaler in particular is broadly deployed at Saudi bank perimeters as an ADC and remote-access gateway. Branch routers, KVM-over-IP cards on legacy x86 servers, network printers, building-management controllers, and ATM cassette controllers commonly embed Telnetd and rarely receive vendor patches on a CSCC-aligned cadence. Public proof-of-concept code is already on GitHub, and the attack reaches the vulnerable path before any login prompt — so credential rotation, MFA, and password vaults provide zero protection.

Impact on SAMA-Regulated Financial Institutions

Three SAMA Cyber Security Framework controls map directly to this exposure. CSCC subdomain 3.3.5 (Vulnerability Management) requires CVSS 9.0+ vulnerabilities to be remediated within 30 days of disclosure — a clock that started ticking on April 30, 2026. CSCC 3.3.13 (Secure Configurations) explicitly forbids cleartext administration protocols on production banking networks; an exposed Telnetd today is a finding regardless of whether CVE-2026-32746 is exploitable. CSCC 3.3.9 (Network Security Management) requires segmentation of management planes from user-facing networks, the only durable mitigation while embedded vendors stall on firmware updates. NCA ECC-2:2024 control 4-5 reinforces the same principle, and PCI-DSS 4.0 Requirement 2.2.5 prohibits insecure services on cardholder data environments, making Telnetd on any system in scope an automatic non-compliance.

Detection and Containment Recommendations

1. Discover, don't assume. Run an authoritative external and internal scan for TCP/23 across all corporate, branch, OT, and DR ranges. Pay specific attention to NetScaler, FreeBSD-derived storage, BMC/iDRAC/iLO management cards, and any vendor-supplied appliance.
2. Block at the network edge first. Drop inbound TCP/23 at perimeter firewalls and at every WAN aggregation point. Internal segmentation ACLs should restrict Telnet only to a hardened jump host pending decommissioning.
3. Deploy IDS signatures for the LINEMODE SLC anomaly. Suricata and Snort rules detecting more than 30 SLC triplets in a single Telnet IAC SB sequence are circulating publicly; tune false positives during business-hours traffic baselining.
4. Open vendor cases for embedded fleet items. Demand written confirmation from Citrix, ATM vendors (Diebold, NCR), and OT suppliers regarding their use of GNU Inetutils and patch ETAs. Capture responses for the next SAMA on-site assessment.
5. Hunt for prior compromise. Because pre-disclosure exploitation cannot be ruled out, review SIEM data for the past 90 days for anomalous TCP/23 sessions, unexpected outbound connections from appliances, and new admin accounts on NetScaler and BSD-based hosts.
6. Update the asset register and TPRM scoring. Any third party operating Telnet-enabled systems on your behalf must be flagged, in line with CSCC 3.3.15 (Third-Party Risk).

The Strategic Lesson Beyond One CVE

A 32-year-old vulnerability surviving in production proves an uncomfortable truth: SAMA-regulated estates are still carrying decades-old protocol debt that no amount of next-gen tooling fully neutralizes. The institutions that handle CVE-2026-32746 cleanly will be those that already maintain a living protocol-deprecation roadmap, an OT/IT segmentation standard signed by the CISO, and a TPRM clause that obligates suppliers to disclose embedded open-source components. The rest will spend the next 30 days hunting Telnetd in places they swore did not exist.

Conclusion

CVE-2026-32746 is not a Linux server problem — it is a perimeter, OT, and supply-chain problem wearing a Linux server's clothes. Treating it as a vulnerability-management ticket alone misses the point; the response should sharpen segmentation, third-party assurance, and legacy-protocol governance, all areas SAMA examiners now scrutinize aggressively.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that benchmarks your perimeter, OT, and TPRM posture against CSCC 3.3.5, 3.3.9, and 3.3.13.