Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges. The vulnerability, tracked as CVE-2026-32746, carries a CVSS score of 9.8 out of 10.0 and has been described as a case of out-of-bounds write in the LINEMODE Set functionality. Separately, Apple has addressed CVE-2026-20643, a cross-origin issue in WebKit's Navigation API affecting iOS, iPadOS, and macOS.

The telnetd vulnerability represents a severe security risk due to its potential for unauthenticated remote code execution with root privileges through port 23. The flaw affects systems running GNU InetUtils telnet daemon, though the exact scope of affected installations remains unclear from available information. Apple's WebKit vulnerability, while lacking a published CVSS score, could allow attackers to bypass same-origin policy protections when processing maliciously crafted web content.

The telnetd flaw involves an out-of-bounds write condition in the LINEMODE Set functionality, allowing remote attackers to manipulate memory and achieve code execution without authentication. The WebKit vulnerability exploits a cross-origin issue within the Navigation API, potentially enabling unauthorized access to resources across different origins in web browsers.

Apple has released its first round of Background Security Improvements to address the WebKit vulnerability across iOS, iPadOS, and macOS platforms. However, the sources do not specify patch availability or timeline for the critical telnetd vulnerability, suggesting it may remain unpatched and pose an immediate threat to affected systems.