Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26982 is a vulnerability in the Ghostty terminal emulator where control characters such as 0x03 (Ctrl+C) can be included in pasted or dragged-and-dropped text. These control characters are invisible in most graphical user interfaces and can be used to execute arbitrary commands in some shell environments like Bash and Zsh. The vulnerability arises because Ghostty does not properly neutralize these special control characters, allowing attackers to trick users into executing unintended commands by convincing them to paste or drop malicious text.'}, {'type': 'paragraph', 'content': "The issue was fixed in Ghostty version 1.3.0 by replacing a hardcoded set of unsafe control characters with spaces during paste operations, preventing these characters from being executed. This fix is inspired by xterm's handling of pasted text and mitigates the risk of command injection via pasted control characters."}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary command execution on your system if you are using a vulnerable version of Ghostty (up to version 1.2.3) and are tricked into pasting or dragging and dropping malicious text containing special control characters. Because these characters are invisible in most GUI environments, it is difficult to detect the malicious input.

The impact includes potential unauthorized actions such as running unintended commands, which can compromise the confidentiality, integrity, and availability of your system, although the CVSS score rates these impacts as low. The attack requires user interaction, so it cannot be exploited remotely without user involvement.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves invisible control characters such as 0x03 (Ctrl+C) embedded in pasted or dragged-and-dropped text within the Ghostty terminal emulator. Detection is challenging because these control characters are invisible in most graphical user interfaces and can be embedded in complex strings.

To detect potential exploitation attempts, you can monitor clipboard contents or input buffers for the presence of unsafe control characters that Ghostty versions prior to 1.3.0 do not sanitize. These characters include NUL (0x00), Backspace (0x08), ENQ (0x05), EOT (0x04), ESC (0x1B), DEL (0x7F), and terminal line discipline control characters such as VINTR (Ctrl+C, 0x03), VQUIT (Ctrl+\, 0x1C), VKILL (Ctrl+U, 0x15), VSUSP (Ctrl+Z, 0x1A), VSTART (Ctrl+Q, 0x11), VSTOP (Ctrl+S, 0x13), VWERASE (Ctrl+W, 0x17), VLNEXT (Ctrl+V, 0x16), VREPRINT (Ctrl+R, 0x12), and VDISCARD (Ctrl+O, 0x0F).

Commands to detect these control characters in text inputs or clipboard data could include using tools like `hexdump`, `xxd`, or `cat -v` to reveal non-printable characters. For example, you can inspect clipboard contents (on Linux) with: `xclip -o | xxd` or `xsel --clipboard --output | xxd` to look for suspicious control bytes.

Similarly, monitoring terminal input logs or shell history for unexpected command interruptions or unusual behavior triggered by control characters may help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Ghostty to version 1.3.0 or later, where the vulnerability is fixed by replacing unsafe control characters with spaces during paste and drag-and-drop operations.

Until upgrading, users should avoid copying and pasting or dragging and dropping text from untrusted sources into Ghostty, as the attack requires user interaction to trigger.

There are no configuration options or workarounds available in affected versions to mitigate this vulnerability. Manual inspection and sanitization of clipboard and draggable content before pasting or dropping into Ghostty is recommended.

Useful 0 Not Useful 0