CVE-2026-25996

MEDIUM SEVERITY

Vulnerability Description

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects. The columns output mode is the default when running ig run interactively.

Vulnerability Details

Published Date

February 12, 2026

Last Modified

April 22, 2026

CWE ID

CWE-150

Source

NVD

Vendor

inspektor-gadget

Product

inspektor-gadget

External References

https://github.com/inspektor-gadget/inspektor-gadget/commit/d59cf72971f9b7110d9c179dc8ae8b7a11dbd6d2
https://github.com/inspektor-gadget/inspektor-gadget/releases/tag/v0.49.1
https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-34r5-6j7w-235f

CVE-2026-25996

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment