CVE-2024-38395
Published: 16 June 2024
Summary
CVE-2024-38395 is a critical-severity Code Injection (CWE-94) vulnerability in Iterm2 Iterm2. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
In iTerm2 versions before 3.5.2, the setting that controls whether the terminal may report its window title is not enforced. This flaw, tracked as CVE-2024-38395 and assigned CWE-94, affects the widely used macOS terminal emulator and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can supply crafted input, such as escape sequences delivered over SSH or another interactive session, that bypasses the disabled title-reporting feature. Successful exploitation can lead to arbitrary code execution on the host running iTerm2, although the vendor notes the attack is not trivially exploitable.
Public advisories and the project repository indicate that the issue is resolved in release 3.5.2; users are advised to upgrade immediately via the official downloads page or package manager. The referenced commit disables the unsafe title-reporting path when the setting is turned off.
The associated EPSS score has remained essentially flat near 0.09 since disclosure, providing no indication of rising exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37299
Vulnerability details
In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.