CVE-2026-25996 – This vulnerability in Inspektor Gadget allows m... (How to Fix)

📋 TL;DR

This vulnerability in Inspektor Gadget allows malicious containers to inject ANSI escape sequences into terminal output, potentially enabling terminal manipulation attacks. It affects operators using the default columns output mode interactively. The risk is limited to terminal effects rather than code execution.

💻 Affected Systems

Products:

Inspektor Gadget

Versions: All versions before v0.49.1

Operating Systems: Linux with eBPF support

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects interactive use with columns output mode (default for ig run)

📦 What is this software?

Inspektor Gadget by Linuxfoundation

View all CVEs affecting Inspektor Gadget →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Terminal takeover allowing command injection, screen manipulation, or data exfiltration through crafted escape sequences

🟠

Likely Case

Terminal corruption, screen clearing, cursor repositioning, or visual disruption of output

🟢

If Mitigated

Minor visual artifacts or no impact if output sanitization is enabled

🌐 Internet-Facing: LOW - Requires local container access and interactive terminal use

🏢 Internal Only: MEDIUM - Internal attackers with container access could target operators' terminals

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to create malicious containers and target operators using ig interactively

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.49.1

Vendor Advisory: https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-34r5-6j7w-235f

Restart Required: No

Instructions:

1. Update Inspektor Gadget to v0.49.1 or later
2. No restart required - fix applies to new ig run sessions

🔧 Temporary Workarounds

Use JSON output mode

all

Switch to JSON output which sanitizes control characters

ig run --output json

Disable interactive columns mode

all

Force non-interactive mode or use different output format

ig run --output custom-columns

🧯 If You Can't Patch

Restrict container creation to trusted users only
Use ig only in non-interactive modes or with trusted workloads

🔍 How to Verify

Check if Vulnerable:

Check if running Inspektor Gadget version <0.49.1 and using ig run interactively

Check Version:

ig version

Verify Fix Applied:

Confirm version is ≥0.49.1 and test that escape sequences in string fields are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual terminal behavior during ig operations
ANSI escape sequences in ig output logs

Network Indicators:

Not network exploitable - local terminal attack

SIEM Query:

Search for ig run commands with suspicious container activity patterns

📊 Metadata

CVE ID: CVE-2026-25996

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-150

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: February 12, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/inspektor-gadget/inspektor-gadget/commit/d59cf72971f9b7110d9c179dc8ae8b7a11dbd6d2 Patch
https://github.com/inspektor-gadget/inspektor-gadget/releases/tag/v0.49.1 Product,Release Notes
https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-34r5-6j7w-235f Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25996, you might also want to check these: