Login Sign Up

CVE-2026-21439

5.3 MEDIUM

📋 TL;DR

This vulnerability allows attackers to inject ASCII control characters and ANSI escape sequences into badkeys tool output, creating misleading results when scanning DKIM and SSH keys. This affects users of badkeys versions 0.0.15 and below who rely on automated scanning results. The misleading output could cause administrators to incorrectly assess the security of cryptographic keys.

💻 Affected Systems

Products:
  • badkeys
Versions: 0.0.15 and below
Operating Systems: All platforms running badkeys
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all scanning modes including --dkim, --dkim-dns, --ssh-lines, and filename-based scanning.

📦 What is this software?

Badkeys by Badkeys

View all CVEs affecting Badkeys →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrators accept vulnerable cryptographic keys as secure due to manipulated output, leading to compromised DKIM email authentication or SSH access.

🟠

Likely Case

Confusion in automated scanning pipelines causing manual review delays or incorrect key assessments.

🟢

If Mitigated

Minor output formatting issues that are caught during manual review of scanning results.

🌐 Internet-Facing: LOW - The tool itself is not typically internet-facing, though it scans internet-facing keys.
🏢 Internal Only: MEDIUM - The tool is used internally for security assessments, and misleading results could impact security decisions.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept exists in GitHub issues. Exploitation requires ability to control input to badkeys (e.g., DNS records, SSH key files).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.16

Vendor Advisory: https://github.com/badkeys/badkeys/security/advisories/GHSA-wjpc-4f29-83h3

Restart Required: No

Instructions:

1. Update badkeys using pip: 'pip install --upgrade badkeys==0.0.16' 2. Verify installation with 'badkeys --version' 3. Test scanning functionality with known test keys.

🔧 Temporary Workarounds

Input sanitization wrapper

linux

Create a wrapper script that sanitizes input before passing to badkeys

#!/bin/bash
# Remove control characters from input
sanitized_input=$(echo "$1" | tr -d '\000-\037\177')
badkeys "$sanitized_input"

🧯 If You Can't Patch

  • Manually review all badkeys output for suspicious characters or formatting anomalies
  • Use alternative key validation tools in parallel to verify badkeys results

🔍 How to Verify

Check if Vulnerable:

Run 'badkeys --version' and check if version is 0.0.15 or below

Check Version:

badkeys --version

Verify Fix Applied:

Test with known malicious input containing control characters and verify output is properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual output formatting in badkeys logs
  • Presence of control characters (\x0B, \x1B) in scanning results

Network Indicators:

  • DNS queries for DKIM records followed by unexpected badkeys output

SIEM Query:

process.name:"badkeys" AND (message:"\x0B" OR message:"\x1B" OR message:"ESC")

📊 Metadata

CVE ID: CVE-2026-21439
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-150
EPSS Score: 0.01% exploit probability (1th percentile)
Published: January 6, 2026
Last Updated: January 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21439, you might also want to check these:

CVE-2025-47284 9.9

This vulnerability allows administrative users within a Gardener project to escalate privileges and ...

Same vulnerability type (CWE-150)
CVE-2026-25996 9.8

This vulnerability in Inspektor Gadget allows malicious containers to inject ANSI escape sequences i...

Same vulnerability type (CWE-150)
CVE-2023-3265 9.8

CVE-2023-3265 is an authentication bypass vulnerability in CyberPower PowerPanel Enterprise that all...

Same vulnerability type (CWE-150)