CVE-2026-25996: Terminal Escape Sequence Injection in Inspektor Gadget
Vulnerability ID: CVE-2026-25996
CVSS Score: 9.8
Published: 2026-04-22
Inspektor Gadget versions prior to 0.49.1 are vulnerable to a Terminal Escape Sequence Injection (CWE-150) in the default columns output mode. The tool fails to sanitize string fields retrieved from eBPF trace events before printing them to the terminal. Attackers operating within monitored containers can exploit this by injecting ANSI control sequences into system events, enabling log spoofing, defense evasion, and potential arbitrary command execution on the operator's terminal.
TL;DR
A CWE-150 vulnerability in Inspektor Gadget allows attackers inside monitored containers to inject ANSI escape sequences via eBPF trace fields, manipulating the operator's terminal output and hiding malicious activity.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-150
- Attack Vector: Network / Container-adjacent
- CVSS v3.1 Score: 9.8 (Critical)
- EPSS Score: 0.00082 (0.08%)
- Impact: Log Spoofing, Defense Evasion, Terminal Manipulation
- Exploit Status: Proof of Concept Available
- KEV Status: Not Listed
Affected Systems
- Inspektor Gadget (
igCLI tool) versions < 0.49.1 - Kubernetes and Linux environments monitored by vulnerable
iginstallations utilizing default column output -
inspektor-gadget: < 0.49.1 (Fixed in:
0.49.1)
Code Analysis
Commit: d59cf72
pkg/columns: avoid terminal interpreting escape sequences
@@ -36,6 +37,11 @@ func (tf *TextColumnsFormatter[T]) buildFixedString(s string, length int, ellips
return ""
}
+ // Escape the string to avoid the terminal interpreting escape sequences.
+ // strconv.Quote adds surrounding quotes, which are then sliced off.
+ s = strconv.Quote(s)
+ s = s[1 : len(s)-1]
+
if !tf.options.ShouldTruncate {
return s
}
Exploit Details
- Official Fix Commit: C Proof of Concept demonstrating log hiding via CSI injection in open syscall.
Mitigation Strategies
- Upgrade Inspektor Gadget to version 0.49.1 or later
- Use the
-o jsonoutput mode flag instead of the default columns mode - Utilize terminal emulators with restricted feature sets that disable potentially dangerous CSI/OSC extensions
Remediation Steps:
- Identify all hosts, workstations, and CI/CD pipelines running the
igCLI tool. - Download and install the updated binary for Inspektor Gadget version v0.49.1 from the official GitHub releases page.
- Audit automated monitoring scripts to ensure they either run the patched version or explicitly use the
-o jsonformat flag. - Validate the patch application by ensuring
ig versionreturns 0.49.1.
References
- Official Advisory: GHSA-34r5-6j7w-235f
- Fix Commit: d59cf72971f9b7110d9c179dc8ae8b7a11dbd6d2
- Release Notes: v0.49.1
- NVD Detail: CVE-2026-25996
- SentinelOne Analysis: CVE-2026-25996
Read the full report for CVE-2026-25996 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)