CVE-2026-21439
Unknown Unknown - Not Provided
ASCII Control Character Injection in badkeys Causes Misleading Output

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21439
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
badkeys badkeys to 0.0.15 (inc)
badkeys badkeys 0.0.16
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the badkeys tool (versions 0.0.15 and below) allows an attacker to inject ASCII control characters such as vertical tabs and ANSI escape sequences into input fields like DKIM key types, SSH key comments, and filenames. Because badkeys outputs these inputs directly to the console without proper escaping, the injected control characters can manipulate or create misleading console output. This can confuse users or obfuscate the tool's output, potentially hiding important information or causing misinterpretation of scan results. The issue was fixed in version 0.0.16 by properly escaping these characters and removing unsafe output. [1, 2]

Impact Analysis

The vulnerability can impact you by causing misleading or manipulated console output when using badkeys to scan cryptographic keys or filenames. An attacker could inject control characters that alter the appearance of warning messages or key information, potentially hiding security issues or confusing the user. Although the severity is low, this could reduce trust in the scan results or cause users to overlook important warnings. It does not directly compromise cryptographic keys but affects the reliability of the tool's output. [1, 2]

Detection Guidance

You can detect this vulnerability by running the badkeys tool on your DKIM keys (using --dkim or --dkim-dns options), SSH keys (using --ssh-lines mode), or scanning filenames with badkeys. Look for misleading or manipulated console output caused by injected ASCII control characters or ANSI escape sequences. Since the vulnerability involves unescaped control characters in output, you might observe unusual colored or formatted text in the badkeys output. Specific commands include: `badkeys --dkim <file>`, `badkeys --dkim-dns <domain>`, and `badkeys --ssh-lines <file>`. Monitoring for unexpected or suspicious console output during these scans can help detect exploitation attempts. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the badkeys tool to version 0.0.16 or later, where this vulnerability is fixed. The fix includes escaping control characters in output using a new internal escaping function and removing untrusted input from warning messages. Until you upgrade, avoid processing untrusted input with badkeys or carefully review output for suspicious control characters. The security patches specifically address escaping output in DKIM key warnings, SSH key comments, and filenames to prevent injection of misleading console output. [1, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart