Synology Security Advisory-26:03 GNU Inetutils
Concerning DiskStation Manager (DSM) to address an issue in telnetd of GNU Inetutils
This is a Press Release edited by StorageNewsletter.com on March 27, 2026 at 2:00 pmPublish Time: 2026-03-19 14:32:42 UTC+8
Last Updated: 2026-03-19 14:37:28 UTC+8
Severity: Critical
Status: Ongoing
Abstract
Synology, Inc. has released a security update for DiskStation Manager (DSM) to address an issue in the telnetd of GNU Inetutils.
-
-
-
CVE-2026-32746 may allow unauthenticated remote attackers to execute arbitrary commands.
-
-
Refer to the Affected Products table for the corresponding updates.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
DSM 7.3 |
Critical |
Upgrade to 7.3.2-86009-3 or above. |
|
DSM 7.2.2 |
Critical |
Upgrade to 7.2.2-72806-8 or above. |
|
DSM 7.2.1 |
Critical |
Upgrade to 7.2.1-69057-11 or above. |
|
DSMUC 3.1 |
Critical |
Ongoing |
|
BeeStation OS 1.4 |
Not affected |
N/A |
|
SRM 1.3 |
Not affected |
N/A |
|
VS600HD 1.2 |
Not affected |
N/A |
Mitigation
It is recommended to disable the Telnet service to reduce potential risk.
This can be done by navigating to Control Panel > Terminal, uncheck Enable Telnet service, and then click Apply.
Detail
-
CVE-2026-32746
- Severity: Critical
- CVSS3 Base Score: 9.8
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
- telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.
Reference
CVE-2026-32746
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2026-03-19 |
Initial public release. |
Subscribe to our free daily newsletter
