CVE-2026-21439
2.00.01%
Smoke and Mirrors: Terminal Injection in badkeys (CVE-2026-21439)
Alon Barad
Software EngineerJan 6, 2026·6 min read·2 visits
PoC Available
Executive Summary (TL;DR)
badkeys versions <= 0.0.15 trusted user input too much when printing results. Attackers could inject ANSI escape codes (like `\x1b[2K`) into key metadata or filenames. When `badkeys` printed these strings, the terminal executed the codes, allowing attackers to delete lines (hiding positive results) or spoof output. Fixed in 0.0.16 via `repr()` sanitization.
A classic terminal escape injection vulnerability in the 'badkeys' cryptographic auditing tool allowed attackers to manipulate scan results. By embedding ANSI escape sequences in filenames, SSH comments, or DKIM records, malicious actors could hide vulnerability warnings or forge fake alerts directly in the auditor's terminal.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS Score
2.0/ 10
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:PEPSS Probability
0.01%
Top 100% most exploited
Affected Systems
badkeys CLI tool <= 0.0.15Systems relying on badkeys for automated auditing
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
badkeys badkeys | <= 0.0.15 | 0.0.16 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-150 |
| Attack Vector | Local / User Interaction |
| CVSS v4.0 | 2.0 (Low) |
| Impact | UI Spoofing / Integrity Loss |
| Exploit Status | Proof of Concept Available |
| Vector | Argument Injection / File Content |
MITRE ATT&CK Mapping
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
Improper Neutralization of Escape, Meta, or Control Sequences
Known Exploits & Detection
Vulnerability Timeline
Vulnerability reported and fixed in source
2026-01-02
GHSA Advisory Published
2026-01-05
CVE Assigned
2026-01-06