CVE-2026-41253
Code Execution via In-Band Signaling Abuse in iTerm
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iterm2 | iterm2 | to 3.6.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in iTerm2 versions through 3.6.9. It occurs when displaying a .txt file that triggers code execution via DCS 2000p and OSC 135 data sequences. The exploit requires the working directory to contain a malicious file whose name matches a valid output from the conductor encoding path, such as a pathname starting with an ace/c+ substring. The root cause is that iTerm2 accepts the SSH conductor protocol from terminal output even when it does not originate from a legitimate conductor session, leading to what is described as a "hypothetical in-band signaling abuse."
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized code execution on your system when using iTerm2 to display certain text files. Because the exploit allows execution of arbitrary code, it can compromise the confidentiality, integrity, and availability of your system. The CVSS score indicates a high impact on confidentiality and integrity, and a low impact on availability, meaning sensitive data could be exposed or altered without user interaction.