CVE-2026-25996
Published: 12 February 2026
Summary
CVE-2026-25996 is a critical-severity Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150) vulnerability in Linuxfoundation Inspektor Gadget. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires filtering of string fields from eBPF events prior to terminal output to block control characters and ANSI escape sequences.
Mandates timely identification, reporting, and correction of flaws like the lack of output sanitization fixed in Inspektor Gadget v0.49.1.
Enforces validation of eBPF event inputs from containers to reject forged payloads containing malicious escape sequences before rendering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsanitized eBPF event output enables terminal escape sequence injection from a monitored container into the operator's interactive ig session, directly facilitating client application exploitation (T1203) that can result in Unix shell command execution or output manipulation (T1059.004) on the defender host.
NVD Description
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization…
more
of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects. The columns output mode is the default when running ig run interactively.
Deeper analysisAI
CVE-2026-25996 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Inspektor Gadget, an open-source framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF technology. The issue stems from unsanitized string fields in eBPF events when rendered to the terminal in columns output mode, which lacks protection against control characters or ANSI escape sequences. This mode is the default when running `ig run` interactively, allowing forged event payloads to inject escape sequences directly into the operator's terminal.
An attacker who can generate a maliciously forged event payload from an observed container can exploit this remotely with low complexity and no privileges or user interaction required. The payload injection targets the terminal of Inspektor Gadget operators monitoring the cluster, enabling various effects such as terminal manipulation, potentially leading to high impacts on confidentiality, integrity, and availability as scored by CVSS. Exploitation relies on the attacker's ability to influence eBPF events from within a container under observation (CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences).
Mitigation is available via the Inspektor Gadget release v0.49.1, which includes a fix in commit d59cf72971f9b7110d9c179dc8ae8b7a11dbd6d2 to sanitize string fields. Security practitioners should update to this version or later and review the GitHub Security Advisory GHSA-34r5-6j7w-235f for full details on the patch and affected versions.
Details
- CWE(s)