CVE-2026-25996
Awaiting Analysis Awaiting Analysis - Queue
ANSI Escape Injection in Inspektor Gadget eBPF Output Leads to Terminal Manipulation

Publication date: 2026-02-12

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects. The columns output mode is the default when running ig run interactively.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25996
EUVD
EUVD-2026-6695
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation inspektor_gadget to 0.49.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25996 is a vulnerability in the inspektor-gadget (ig) tool, specifically in its default interactive columns output mode. The issue occurs because string fields from eBPF events are rendered directly to the terminal without sanitizing control characters or ANSI escape sequences.

This lack of sanitization allows a maliciously crafted event payload, originating from an observed container, to inject ANSI escape sequences into the terminal of the ig operator. These escape sequences can manipulate the terminal display in various ways.

  • Possible effects include log injection (inserting or deleting lines), denial of service (DoS), writing to the system clipboard, creating hyperlinks to attacker-controlled servers, changing the terminal window title, and potentially executing arbitrary code via Operating System Command (OSC) ANSI escape sequences.

A proof-of-concept demonstrated how a container could create files with embedded ANSI escape sequences that manipulate terminal output, such as overwriting log lines to hide sensitive file accesses.

The vulnerability was patched in version v0.49.1 by properly sanitizing ANSI escape sequences in the columns output mode.

Impact Analysis

This vulnerability can impact you by allowing an attacker to manipulate the terminal output of the inspektor-gadget tool when running in columns output mode.

  • An attacker could inject escape sequences that alter or hide log entries, potentially concealing malicious activities.
  • It could cause denial of service by disrupting the terminal display.
  • It might allow writing to the system clipboard or creating clickable links to attacker-controlled servers, increasing the risk of further compromise.
  • In some cases, it could enable execution of arbitrary code through Operating System Command (OSC) ANSI escape sequences.

Overall, this could undermine the reliability and security of system inspection and monitoring activities performed with inspektor-gadget.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing the output of the inspektor-gadget (ig) tool when running in its default interactive columns output mode, specifically when tracing eBPF events such as file open operations.

A practical detection method is to run the command `ig run trace_open` interactively and watch for suspicious or unexpected ANSI escape sequences or control characters in the terminal output, which may indicate maliciously forged event payloads.

For example, running a container that performs normal file operations and then creates a file with embedded ANSI escape sequences can demonstrate the vulnerability by manipulating the terminal output.

  • Run `ig run trace_open` in interactive columns mode to monitor eBPF events.
  • Look for unusual terminal behavior such as overwritten log lines, changed terminal titles, or unexpected hyperlinks.
Mitigation Strategies

The immediate mitigation step is to upgrade inspektor-gadget to version v0.49.1 or later, where the vulnerability has been patched by properly sanitizing ANSI escape sequences in the columns output mode.

This patch escapes output strings before printing to the terminal, preventing malicious escape sequences from being interpreted and thus protecting against terminal manipulation.

Until the upgrade can be applied, avoid running inspektor-gadget in the default interactive columns output mode or use the JSON output mode, which already sanitizes content and is not affected by this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25996. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart