DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21439: Smoke and Mirrors: Terminal Injection in badkeys (CVE-2026-21439)

#security #cve #cybersecurity

Smoke and Mirrors: Terminal Injection in badkeys (CVE-2026-21439)

Vulnerability ID: CVE-2026-21439
CVSS Score: 2.0
Published: 2026-01-05

A classic terminal escape injection vulnerability in the 'badkeys' cryptographic auditing tool allowed attackers to manipulate scan results. By embedding ANSI escape sequences in filenames, SSH comments, or DKIM records, malicious actors could hide vulnerability warnings or forge fake alerts directly in the auditor's terminal.

TL;DR

badkeys versions <= 0.0.15 trusted user input too much when printing results. Attackers could inject ANSI escape codes (like \x1b[2K) into key metadata or filenames. When badkeys printed these strings, the terminal executed the codes, allowing attackers to delete lines (hiding positive results) or spoof output. Fixed in 0.0.16 via repr() sanitization.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-150
  • Attack Vector: Local / User Interaction
  • CVSS v4.0: 2.0 (Low)
  • Impact: UI Spoofing / Integrity Loss
  • Exploit Status: Proof of Concept Available
  • Vector: Argument Injection / File Content

Affected Systems

  • badkeys CLI tool <= 0.0.15
  • Systems relying on badkeys for automated auditing
  • badkeys: <= 0.0.15 (Fixed in: 0.0.16)

Code Analysis

Commit: 635a2f3

Escape output of runcli

+ from .utils import _esc
- print(f"{check}{sub} vulnerability, {kn}, {where}")
+ print(f"{check}{sub} vulnerability, {kn}, {_esc(where)}")
Enter fullscreen mode Exit fullscreen mode

Commit: de631f6

Prevent injection in DKIM warning

- _warnmsg(f"Unknown DKIM key type {dkim['k']}")
+ _warnmsg("Unknown DKIM key type")
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Issues: Original issue report demonstrating control character injection

Mitigation Strategies

  • Sanitize all untrusted input before printing to stdout/stderr.
  • Use 'cat -v' or 'less' to view output from potentially vulnerable tools.
  • Monitor for unusual ANSI sequences in logs.

Remediation Steps:

  1. Upgrade badkeys to version 0.0.16 or higher.
  2. Verify integrity of existing scan logs for signs of tampering (unexpected line clears).
  3. Re-scan critical infrastructure using the patched version.

References

Read the full report for CVE-2026-21439 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)