Platform
macos
Component
iterm2
Fixed in
3.6.10
CVE-2026-41253 describes a code execution vulnerability in iTerm2, a popular macOS terminal emulator. An attacker can exploit this flaw by crafting a malicious .txt file that, when displayed in iTerm2, triggers unintended code execution. This vulnerability affects versions 0.0.0 through 3.6.9 and requires a specific setup involving a malicious file in the working directory. A patch is expected to resolve this issue.
The vulnerability stems from iTerm2's handling of the SSH conductor protocol. Specifically, the application accepts conductor protocol data from terminal output that doesn't originate from a legitimate conductor session. An attacker can leverage this by creating a .txt file with a carefully crafted name and content. When iTerm2 displays this file, the malicious conductor signaling can be triggered, leading to arbitrary code execution. The attacker essentially gains the ability to run commands on the system with the privileges of the iTerm2 process. This could lead to complete system compromise, data theft, and further malicious activity. The "hypothetical in-band signaling abuse" description highlights the potential for a sophisticated attack chain.
CVE-2026-41253 was publicly disclosed on 2026-04-18. The vulnerability's exploitation requires a specific file naming convention and placement within the working directory, potentially limiting its immediate exploitability. There is no known public proof-of-concept (POC) available at this time. The EPSS score is pending evaluation, but the potential for code execution suggests a medium to high probability of exploitation if a readily available exploit is developed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of iTerm2. The vendor is expected to release a fix shortly. Until then, consider restricting the use of the SSH conductor protocol within iTerm2. This can be achieved by disabling conductor support entirely if it's not essential for your workflow. Alternatively, carefully review any .txt files before displaying them in iTerm2, especially if they originate from untrusted sources. Monitor iTerm2's activity for unusual process executions. After upgrading, verify the fix by attempting to display a known malicious .txt file (if available) and confirming that no code execution occurs.
Update to the latest version of iTerm2 (3.7 or later) to mitigate the vulnerability. The update corrects how iTerm2 handles DCS 2000p and OSC 135 data, preventing the execution of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41253 is a medium-severity vulnerability in iTerm2 versions 0.0.0 through 3.6.9 that allows code execution by displaying a malicious .txt file.
If you are using iTerm2 versions 0.0.0 to 3.6.9 and handle files from untrusted sources, you are potentially affected.
Upgrade to a patched version of iTerm2 as soon as it becomes available. Until then, restrict conductor protocol usage or carefully review files before displaying them.
There is currently no confirmed active exploitation of CVE-2026-41253, but the potential for code execution warrants caution.
Refer to the official iTerm2 website and release notes for updates and advisories regarding CVE-2026-41253.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.