CVE-2026-21439: badkeys vulnerable to ASCII control character injection on console via malformed input
(updated )
An attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes.
References
- github.com/advisories/GHSA-wjpc-4f29-83h3
- github.com/badkeys/badkeys
- github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a
- github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087
- github.com/badkeys/badkeys/issues/40
- github.com/badkeys/badkeys/security/advisories/GHSA-wjpc-4f29-83h3
- nvd.nist.gov/vuln/detail/CVE-2026-21439
Code Behaviors & Features
Detect and mitigate CVE-2026-21439 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →