Cyber Resilience

CVE-2024-38396

CriticalPublic PoCRCE

Published: 16 June 2024

Published
16 June 2024
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1030 93.3th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38396 is a critical-severity Code Injection (CWE-94) vulnerability in Iterm2 Iterm2. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-38396 affects iTerm2 versions 3.5.x prior to 3.5.2. The flaw stems from unfiltered handling of an escape sequence that reports the window title when the application's built-in tmux integration is active, which is enabled by default. This permits code injection into the terminal and is tracked under CWE-94 with a CVSS 3.1 score of 9.8.

An attacker can supply a malicious escape sequence through a remote host, SSH session, or any untrusted output rendered in the terminal. Because tmux integration processes the sequence without sanitization, the attacker can achieve arbitrary code execution on the user's system without requiring authentication or user interaction.

The referenced commit fc60236a914d63fb70a5c632e211203a4f1bd4dd and the iTerm2 3.5.2 release on the project downloads page address the issue by filtering the escape sequence. The oss-security advisory and the detailed write-up at vin01.github.io both recommend upgrading immediately and disabling tmux integration until patches are applied if downgrades are not feasible.

EPSS scores have remained near 0.10 with only minor fluctuation between current and peak values, indicating no pronounced post-disclosure exploitation surge.

EU & UK References

Vulnerability details

An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the…

more

terminal, a different vulnerability than CVE-2024-38395.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

iterm2
iterm2
3.5.0 — 3.5.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References