CVE-2026-25996: Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode
String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences.
Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects.
The columns output mode is the default when running ig run interactively.
References
- github.com/advisories/GHSA-34r5-6j7w-235f
- github.com/inspektor-gadget/inspektor-gadget/commit/d59cf72971f9b7110d9c179dc8ae8b7a11dbd6d2
- github.com/inspektor-gadget/inspektor-gadget/releases/tag/v0.49.1
- github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-34r5-6j7w-235f
- nvd.nist.gov/vuln/detail/CVE-2026-25996
Code Behaviors & Features
Detect and mitigate CVE-2026-25996 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →