Login Sign Up

CVE-2023-39726

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

A critical vulnerability in Mintty terminal emulator allows remote attackers to execute arbitrary code by sending specially crafted ANSI escape sequences. This affects all users running vulnerable versions of Mintty, particularly those who connect to untrusted remote systems or view untrusted content in their terminal.

💻 Affected Systems

Products:
  • Mintty
Versions: v3.6.4 and earlier
Operating Systems: Windows, Cygwin, MSYS2
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. The vulnerability is in the OSC 50 escape sequence handling.

📦 What is this software?

Mintty by Mintty Project

View all CVEs affecting Mintty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with the privileges of the Mintty user, potentially leading to complete system compromise, data theft, or lateral movement.

🟠

Likely Case

Attackers exploiting this via malicious SSH servers, compromised remote systems, or crafted content (like cat'ing a malicious file) to execute commands on the victim's machine.

🟢

If Mitigated

Limited impact if users only connect to trusted systems and avoid viewing untrusted content in Mintty.

🌐 Internet-Facing: MEDIUM - Requires user interaction (connecting to malicious server or viewing malicious content), but exploitation can be triggered remotely.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this if users connect to them via Mintty.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - sending crafted ANSI escape sequences triggers the vulnerability. Public proof-of-concept code exists in the referenced advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.6.5 and later

Vendor Advisory: https://github.com/mintty/mintty/security/advisories/GHSA-6wvc-8h2h-5pqg

Restart Required: Yes

Instructions:

1. Download Mintty v3.6.5 or later from the official repository. 2. Replace the existing mintty.exe with the new version. 3. Restart any Mintty terminals.

🔧 Temporary Workarounds

Disable OSC 50 support

all

Disables the vulnerable ANSI escape sequence handler

Add 'DisableOsc50=yes' to ~/.minttyrc or mintty configuration

Use alternative terminal

all

Temporarily switch to a different terminal emulator that is not vulnerable

🧯 If You Can't Patch

  • Avoid connecting to untrusted SSH servers or remote systems with Mintty
  • Do not cat or view untrusted files in Mintty terminal

🔍 How to Verify

Check if Vulnerable:

Check Mintty version with 'mintty --version'. If version is 3.6.4 or earlier, you are vulnerable.

Check Version:

mintty --version

Verify Fix Applied:

After updating, run 'mintty --version' and confirm version is 3.6.5 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Mintty terminal
  • Suspicious command execution patterns

Network Indicators:

  • ANSI escape sequences containing OSC 50 in network traffic to terminals

SIEM Query:

process_name="mintty.exe" AND (parent_process contains "ssh" OR command_line contains suspicious patterns)

📊 Metadata

CVE ID: CVE-2023-39726
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-96
Published: October 26, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39726, you might also want to check these:

CVE-2015-2079 9.9

This vulnerability allows remote attackers to execute arbitrary code on Usermin servers by exploitin...

Same vulnerability type (CWE-96)
CVE-2024-55877 9.9

This vulnerability allows any authenticated user in XWiki Platform to execute arbitrary code remotel...

Same vulnerability type (CWE-96)
CVE-2020-6143 9.8

This is a critical remote code execution vulnerability in OS4Ed openSIS 7.4's installation functiona...

Same vulnerability type (CWE-96)