The vulnerability arises because badkeys does not filter ASCII control characters in its console output, allowing an attacker to supply input containing such characters which may be interpreted by the terminal as formatting or command sequences, resulting in misleading output that can cause users to incorrectly assess key validity. This manifests as false positives or negatives during DKIM or SSH key scans, potentially misleading administrators. The weakness is classified as CWE‑150 because the program fails to properly validate or sanitize user-supplied strings before displaying them.

Versions 0.0.15 and earlier of the badkeys tool, distributed for all operating systems as a Python package, are affected. The issue appears in command‑line modes that output key information, including DKIM (--dkim, --dkim-dns), SSH (--ssh-lines), and filename analyses. The fix is implemented in 0.0.16 and later.

The CVSS score of 2 indicates low severity, and the EPSS score of less than 1% suggests a very low exploitation probability. Since the flaw is limited to console output and does not grant code execution or network access, the threat is largely restricted to the local user or administrator executing badkeys. The vulnerability does not appear in the CISA KEV catalog, further indicating its low impact on widespread exploit campaigns. The best attack scenario would involve an attacker supplying specially crafted input to an unsuspecting user, potentially misleading them into trusting or ignoring a key. This risk is mitigated by applying the available patch.