CVE-2026-21439
ASCII Control Character Injection in badkeys Causes Misleading Output
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| badkeys | badkeys | to 0.0.15 (inc) |
| badkeys | badkeys | 0.0.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-150 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the badkeys tool (versions 0.0.15 and below) allows an attacker to inject ASCII control characters such as vertical tabs and ANSI escape sequences into input fields like DKIM key types, SSH key comments, and filenames. Because badkeys outputs these inputs directly to the console without proper escaping, the injected control characters can manipulate or create misleading console output. This can confuse users or obfuscate the tool's output, potentially hiding important information or causing misinterpretation of scan results. The issue was fixed in version 0.0.16 by properly escaping these characters and removing unsafe output. [1, 2]
How can this vulnerability impact me? :
The vulnerability can impact you by causing misleading or manipulated console output when using badkeys to scan cryptographic keys or filenames. An attacker could inject control characters that alter the appearance of warning messages or key information, potentially hiding security issues or confusing the user. Although the severity is low, this could reduce trust in the scan results or cause users to overlook important warnings. It does not directly compromise cryptographic keys but affects the reliability of the tool's output. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by running the badkeys tool on your DKIM keys (using --dkim or --dkim-dns options), SSH keys (using --ssh-lines mode), or scanning filenames with badkeys. Look for misleading or manipulated console output caused by injected ASCII control characters or ANSI escape sequences. Since the vulnerability involves unescaped control characters in output, you might observe unusual colored or formatted text in the badkeys output. Specific commands include: `badkeys --dkim <file>`, `badkeys --dkim-dns <domain>`, and `badkeys --ssh-lines <file>`. Monitoring for unexpected or suspicious console output during these scans can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the badkeys tool to version 0.0.16 or later, where this vulnerability is fixed. The fix includes escaping control characters in output using a new internal escaping function and removing untrusted input from warning messages. Until you upgrade, avoid processing untrusted input with badkeys or carefully review output for suspicious control characters. The security patches specifically address escaping output in DKIM key warnings, SSH key comments, and filenames to prevent injection of misleading console output. [1, 3, 4]