Vulnerability Description
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects. The columns output mode is the default when running ig run interactively.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Inspektor Gadget | < 0.49.1 |
Related Weaknesses (CWE)
References
- https://github.com/inspektor-gadget/inspektor-gadget/commit/d59cf72971f9b7110d9cPatch
- https://github.com/inspektor-gadget/inspektor-gadget/releases/tag/v0.49.1ProductRelease Notes
- https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-34ExploitVendor Advisory
FAQ
What is CVE-2026-25996?
CVE-2026-25996 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are ...
How severe is CVE-2026-25996?
CVE-2026-25996 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-25996?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Inspektor Gadget.