Vulnerability Description
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Iterm2 | Iterm2 | <= 3.6.9 |
Related Weaknesses (CWE)
References
- https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-notExploitThird Party Advisory
- https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899fPatch
- https://iterm2.com/downloads.htmlProduct
- https://news.ycombinator.com/item?id=47809190Issue Tracking
FAQ
What is CVE-2026-41253?
CVE-2026-41253 is a vulnerability with a CVSS score of 6.9 (MEDIUM). In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conducto...
How severe is CVE-2026-41253?
CVE-2026-41253 has been rated MEDIUM with a CVSS base score of 6.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41253?
Check the references section above for vendor advisories and patch information. Affected products include: Iterm2 Iterm2.