CVE-2022-41138
Description
Zutty before 0.13 mishandles DECRQSS requests, allowing arbitrary code execution via crafted terminal output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zutty before 0.13 mishandles DECRQSS requests, allowing arbitrary code execution via crafted terminal output.
Vulnerability
Zutty, an X terminal emulator, versions before 0.13, mishandles DECRQSS (Request Status String) commands. When the terminal receives an invalid DECRQSS sequence, it echoes the invalid input back to the terminal output, which can be interpreted as commands. This vulnerability is similar to CVE-2008-2383. [1][2]
Exploitation
An attacker can craft text containing a malicious DECRQSS sequence. If a user or process displays this text in the Zutty terminal (e.g., by viewing a file or program output), the terminal will execute the embedded command. No special privileges are needed; the attacker only needs to cause the terminal to render the crafted text. [1]
Impact
Successful exploitation allows arbitrary command execution with the privileges of the user running Zutty. This can lead to full system compromise, data disclosure, or further propagation. [3]
Mitigation
The vulnerability is fixed in Zutty version 0.13. Users should upgrade to at least this version. The fix is implemented in commit bde7458c60a7bafe08bbeaafbf861eb865edfa38 [2]. There is no known workaround for unpatched versions. The Gentoo Security Advisory GLSA 202209-25 recommends updating to >=x11-terms/zutty-0.13 [3]. Not listed in CISA KEV as of the publication date.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zutty/Zuttydescription
- Range: <0.13
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Echoing invalid DECRQSS input back to the terminal allows escape sequence injection, enabling arbitrary command execution."
Attack vector
A malicious console application writes crafted DECRQSS escape sequences to the terminal. When Zutty receives an invalid DECRQSS request, it previously echoed the attacker-controlled substring back to the terminal via writePty, which could be interpreted as further escape sequences. This allows an attacker to inject arbitrary commands that the terminal executes, similar to CVE-2008-2383 [ref_id=1].
Affected code
The vulnerability exists in the DECRQSS (Request Status String) handler within the Zutty terminal emulator. The patch modifies the else branch at line 1782 of the source file, which previously echoed invalid input back to the terminal.
What the fix does
The patch replaces the echo of invalid input with a simple cancel response string. Previously, the code constructed a response containing the attacker-controlled substring (arg.substr(2)) and wrote it to the PTY, allowing escape sequence injection. The fix sends only the fixed cancel string "\eP0$r\e\\" regardless of the invalid input, preventing any attacker-controlled characters from being echoed back and interpreted as commands [ref_id=1].
Preconditions
- inputAn attacker must be able to write arbitrary text (including escape sequences) to the terminal, typically via a malicious console application or by tricking a user into viewing crafted output.
- configThe terminal must be running a vulnerable version of Zutty (before 0.13).
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- security.gentoo.org/glsa/202209-25mitrevendor-advisoryx_refsource_GENTOO
- bugs.gentoo.org/868495mitrex_refsource_MISC
- github.com/tomszilagyi/zutty/commit/bde7458c60a7bafe08bbeaafbf861eb865edfa38mitrex_refsource_MISC
- github.com/tomszilagyi/zutty/compare/0.12...0.13mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.