CVE-2024-38396
Published: 16 June 2024
Summary
CVE-2024-38396 is a critical-severity Code Injection (CWE-94) vulnerability in Iterm2 Iterm2. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-38396 affects iTerm2 versions 3.5.x prior to 3.5.2. The flaw stems from unfiltered handling of an escape sequence that reports the window title when the application's built-in tmux integration is active, which is enabled by default. This permits code injection into the terminal and is tracked under CWE-94 with a CVSS 3.1 score of 9.8.
An attacker can supply a malicious escape sequence through a remote host, SSH session, or any untrusted output rendered in the terminal. Because tmux integration processes the sequence without sanitization, the attacker can achieve arbitrary code execution on the user's system without requiring authentication or user interaction.
The referenced commit fc60236a914d63fb70a5c632e211203a4f1bd4dd and the iTerm2 3.5.2 release on the project downloads page address the issue by filtering the escape sequence. The oss-security advisory and the detailed write-up at vin01.github.io both recommend upgrading immediately and disabling tmux integration until patches are applied if downgrades are not feasible.
EPSS scores have remained near 0.10 with only minor fluctuation between current and peak values, indicating no pronounced post-disclosure exploitation surge.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37300
Vulnerability details
An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the…
more
terminal, a different vulnerability than CVE-2024-38395.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.