Skip to main content

Iterm2 CVE-2026-41253

| EUVDEUVD-2026-23656 MEDIUM
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-04-18 mitre
6.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 18, 2026 - 06:09 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 06:00 euvd
EUVD-2026-23656
Analysis Generated
Apr 18, 2026 - 06:00 vuln.today
CVE Published
Apr 18, 2026 - 05:27 nvd
MEDIUM 6.9

DescriptionCVE.org

In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.

AnalysisAI

Remote code execution in iTerm2 through version 3.6.9 allows local attackers to execute arbitrary code by displaying a specially crafted text file when a malicious file with a conductor-protocol-compatible name exists in the working directory. The vulnerability exploits iTerm2's acceptance of SSH conductor protocol sequences (DCS 2000p and OSC 135) from terminal output without validating the source, enabling in-band signaling abuse where filenames themselves become attack vectors. CVSS 6.9 reflects local attack vector and high complexity, but practical exploitation requires user interaction (opening a file) combined with directory-resident malware.

Technical ContextAI

iTerm2 is a macOS terminal emulator that supports advanced terminal protocols including the SSH conductor protocol for authenticated remote session management. The vulnerability stems from improper validation of terminal escape sequences (specifically Device Control String DCS 2000p and Operating System Command OSC 135) that are intended for legitimate conductor protocol sessions. The root cause (CWE-829: Inclusion of Functionality from Untrusted Control Sphere) manifests when iTerm2 processes these protocol sequences from arbitrary terminal output without verifying they originate from an authenticated conductor session. An attacker exploits this by crafting a filename that, when displayed via standard commands like 'cat' on a file with a name matching conductor encoding output (e.g., containing 'ace/c+' substrings), triggers the protocol parser. When the terminal application prints this filename as part of file display or listing, the escape sequences embedded in or induced by the filename are interpreted as legitimate conductor commands, leading to code execution in the iTerm2 process context.

RemediationAI

Update iTerm2 to the patched version released after 3.6.9; refer to https://iterm2.com/downloads.html for the latest release. The upstream fix is documented in commit a9e745993c2e2cbb30b884a16617cd5495899f86 (https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899f86), which addresses validation of conductor protocol sequences to reject those not originating from legitimate authenticated sessions. Until patching is possible, defensive measures include: avoid displaying or listing files in directories with untrusted or downloaded content, use 'file' or other tools that do not echo filenames verbatim instead of 'cat' on unknown files, and disable or restrict access to terminal paste functionality if available. Users should be cautious when cloning repositories or extracting archives from untrusted sources into home directories where they may later be enumerated.

More in Iterm2

View all
CVE-2024-38396 CRITICAL POC
9.8 Jun 16

An issue was discovered in iTerm2 3.5.x before 3.5.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2023-46301 CRITICAL POC
9.8 Oct 22

iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences relate

CVE-2023-46300 CRITICAL POC
9.8 Oct 22

iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences relate

CVE-2019-9535 CRITICAL POC
9.8 Oct 09

A vulnerability exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execut

CVE-2015-9231 HIGH POC
7.5 Sep 20

iTerm2 3.x before 3.1.1 allows remote attackers to discover passwords by reading DNS queries. Rated high severity (CVSS

CVE-2019-19022 HIGH POC
7.5 Nov 17

iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.i

CVE-2024-38395 CRITICAL
9.8 Jun 16

In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution mi

CVE-2023-46322 CRITICAL
9.8 Oct 23

iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize ssh hostnames in URLs. Rated critical severity (CV

CVE-2023-46321 CRITICAL
9.8 Oct 23

iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize paths in x-man-page URLs. Rated critical severity

CVE-2022-45872 CRITICAL
9.8 Nov 23

iTerm2 before 3.4.18 mishandles a DECRQSS response. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2025-22275 CRITICAL
9.3 Jan 03

iTerm2 3.5.6 through 3.5.10 before 3.5.11 sometimes allows remote attackers to obtain sensitive information from termina

Share

CVE-2026-41253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy