PatchSiren cyber security CVE debrief

CVE-2026-41253 iTerm2 CVE debrief

A vulnerability in iTerm2 through version 3.6.9 allows code execution when displaying a .txt file containing malicious terminal escape sequences. The issue stems from iTerm2's acceptance of SSH conductor protocol data (specifically DCS 2000p and OSC 135 sequences) from terminal output that does not originate from a legitimate conductor session. An attacker can exploit this if the working directory contains a maliciously named file matching the conductor encoding path format, such as one with an initial 'ace/c+' substring. This represents a case of in-band signaling abuse where terminal display operations can be coerced into executing arbitrary code. The vulnerability was published on April 18, 2026, with the record last modified on May 18, 2026.

Vendor: iTerm2
Product: Unknown
CVSS: MEDIUM 6.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-18
Original CVE updated: 2026-05-18
Advisory published: 2026-04-18
Advisory updated: 2026-05-18

Who should care

iTerm2 users on macOS who regularly view text files from untrusted sources; security-conscious developers and system administrators who rely on terminal emulators for sensitive operations; organizations with developers using iTerm2 in environments where file contents may be attacker-controlled

Technical summary

The vulnerability exists in iTerm2's handling of Device Control String (DCS) and Operating System Command (OSC) escape sequences. Specifically, DCS 2000p and OSC 135 sequences, which are part of the SSH conductor protocol, are processed even when not originating from an authenticated conductor session. When a user displays a .txt file containing these sequences, and if a malicious file with a name matching the conductor encoding path (e.g., starting with 'ace/c+') exists in the working directory, iTerm2 can be tricked into executing arbitrary code. This is classified as CWE-829: Inclusion of Functionality from Untrusted Control Sphere. The attack requires local access and has high complexity, but no user interaction or privileges are needed once the conditions are met.

Defensive priority

medium

Recommended defensive actions

Upgrade iTerm2 to a version newer than 3.6.9; a patch commit is available that addresses this vulnerability
Exercise caution when displaying untrusted .txt files in iTerm2, particularly when the working directory may contain files with names matching the conductor encoding path pattern
Review terminal output handling in security-sensitive environments to ensure escape sequence filtering is applied where appropriate
Monitor iTerm2 releases for security updates addressing conductor protocol validation

Evidence notes

The vulnerability description indicates that iTerm2 accepts SSH conductor protocol sequences from untrusted terminal output, enabling code execution when specific filename patterns exist in the working directory. The CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L) reflects local attack vector with high attack complexity but no privileges or user interaction required, yielding medium severity with high impact on confidentiality and integrity.

Official resources

CVE-2026-41253 CVE record
CVE.org
CVE-2026-41253 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch
Source reference
[email protected] - Product
Source reference
[email protected] - Issue Tracking

2026-04-18