Description
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects. The columns output mode is the default when running ig run interactively.
Published: 2026-02-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Terminal Escape Injection
Action: Apply Patch
AI Analysis

Impact

Inspektor Gadget outputs eBPF event strings in columns mode without sanitizing ANSI escape characters, allowing a malicious payload to embed terminal control codes. Such injection can change the appearance of the terminal, hide or distort operator data, and potentially mislead or confuse users during interactive sessions. The flaw is a moderate severity issue tied to CWE-150, which deals with manipulating control characters.

Affected Systems

The vulnerability applies to the Inspektor Gadget toolset from the Linux Foundation. All releases prior to version 0.49.1 lack the sanitization fix. The advisory and release notes indicate that 0.49.1 and later incorporate the necessary corrections, so any installation using an older version is considered vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk, while the EPSS score of less than 1% points to a very low probability of exploitation at present. The issue does not appear in the CISA KEV catalog, suggesting no known widespread attacks. Based on the description, the likely attack vector is an untrusted or compromised container that can inject forged eBPF events containing malicious ANSI sequences into the monitoring pipeline. The impact is confined to terminal manipulation and does not grant system compromise or data exfiltration, but it can undermine situational awareness for operators.

Generated by OpenCVE AI on April 18, 2026 at 12:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Inspektor Gadget to version 0.49.1 or later, where ANSI escape sequences are sanitized in columns mode.
  • Switch to a non-interactive output format or redirect output to a logfile when an upgrade is not immediately possible, to prevent terminal injection.
  • Enforce stricter container isolation so that only trusted workloads are allowed to generate eBPF events, reducing the likelihood of malicious event injection.

Generated by OpenCVE AI on April 18, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-34r5-6j7w-235f Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode
History

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:linuxfoundation:inspektor_gadget:*:*:*:*:*:kubernetes:*:* cpe:2.3:a:linuxfoundation:inspektor_gadget:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation inspektor Gadget
CPEs cpe:2.3:a:linuxfoundation:inspektor_gadget:*:*:*:*:*:kubernetes:*:*
Vendors & Products Linuxfoundation
Linuxfoundation inspektor Gadget
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Inspektor-gadget
Inspektor-gadget inspektor-gadget
Vendors & Products Inspektor-gadget
Inspektor-gadget inspektor-gadget

Thu, 12 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects. The columns output mode is the default when running ig run interactively.
Title Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode
Weaknesses CWE-150
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Inspektor-gadget Inspektor-gadget
Linuxfoundation Inspektor Gadget
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T20:57:00.522Z

Reserved: 2026-02-09T17:41:55.859Z

Link: CVE-2026-25996

cve-icon Vulnrichment

Updated: 2026-02-12T20:56:45.784Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T21:16:02.820

Modified: 2026-03-16T18:02:26.257

Link: CVE-2026-25996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses