CVE-2026-41253
Received Received - Intake
Code Execution via In-Band Signaling Abuse in iTerm

Publication date: 2026-04-18

Last updated on: 2026-05-18

Assigner: MITRE

Description
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-05-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41253
EUVD
EUVD-2026-23656
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
iterm2 iterm2 to 3.6.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in iTerm2 versions through 3.6.9. It occurs when displaying a .txt file that triggers code execution via DCS 2000p and OSC 135 data sequences. The exploit requires the working directory to contain a malicious file whose name matches a valid output from the conductor encoding path, such as a pathname starting with an ace/c+ substring. The root cause is that iTerm2 accepts the SSH conductor protocol from terminal output even when it does not originate from a legitimate conductor session, leading to what is described as a "hypothetical in-band signaling abuse."

Impact Analysis

This vulnerability can lead to unauthorized code execution on your system when using iTerm2 to display certain text files. Because the exploit allows execution of arbitrary code, it can compromise the confidentiality, integrity, and availability of your system. The CVSS score indicates a high impact on confidentiality and integrity, and a low impact on availability, meaning sensitive data could be exposed or altered without user interaction.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41253. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart