CVE-2026-41253 - Vulnerability Details

- Local Code Execution via SSH Conductor Escape Sequences in iTerm2

Description

In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.

Published: 2026-04-18

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a local attacker to execute arbitrary code when viewing a plain‑text file in iTerm2. It arises because the application accepts SSH conductor escape sequences from terminal output that does not belong to a legitimate conductor session, causing DCS 2000p and OSC 135 sequences to be interpreted. When the working directory contains a specially crafted file whose name matches the expected conductor‑encoded path—such as a name beginning with "ace/c+"—the embedded escape sequences can trigger code execution. This weakness is classified as CWE‑829.

Affected Systems

The affected product is iTerm2 from the vendor iTerm2. Versions up to and including 3.6.9 experience the flaw. All earlier releases prior to 3.6.9 are not noted as affected, and no fix version is given in the CVE data.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity. The EPSS score of less than 1% suggests low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires a local user to open a .txt file in a directory that contains a maliciously named file, the vector is local. Exploit conditions include presence of properly encoded filename and the ability to view the file content in iTerm2. The overall risk is moderate for users who routinely open untrusted text files from directories that may contain unknown file names.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

iTerm2

unknown

Version	Status	Constraints
`0`	affected	≤ 3.6.9

No data.

Vendor Product Confidence Versions

Iterm2

95%

Version	Status	Scheme	Platform
`[0,3.6.9]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade iTerm2 to the latest release that removes the vulnerable handling of the SSH conductor escape sequences.
Until an upgrade is available, avoid opening plain‑text files that are stored in directories containing files with unusual or suspicious names such as those beginning with "ace/c+", and verify file names before viewing.
Run iTerm2 with minimal privileges or in a sandboxed environment to limit the impact should exploitation occur.

Generated by OpenCVE AI on April 18, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00005.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not
https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899f86
https://iterm2.com/downloads.html
https://news.ycombinator.com/item?id=47809190

History

Mon, 20 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 18 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
Title		Local Code Execution via SSH Conductor Escape Sequences in iTerm2

Sat, 18 Apr 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.
First Time appeared		Iterm2 Iterm2 iterm2
Weaknesses		CWE-829
CPEs		cpe:2.3:a:iterm2:iterm2::::::::
Vendors & Products		Iterm2 Iterm2 iterm2
References		https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899f86 https://iterm2.com/downloads.html https://news.ycombinator.com/item?id=47809190
Metrics		cvssV3_1 `{'score': 6.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

Iterm2 Iterm2

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-18T05:27:08.202Z

Updated: 2026-04-20T15:52:10.357Z

Reserved: 2026-04-18T05:27:07.778Z

Link: CVE-2026-41253

Vulnrichment

Updated: 2026-04-20T15:52:06.515Z

NVD

Status : Awaiting Analysis

Published: 2026-04-18T06:16:17.427

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-41253

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses

CWE-829

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object