cat is now an exploit

1. Opening Claim

Reading a file is now an attack surface. The MAD Bugs vulnerability establishes that the command cat readme.txt cannot be treated as a passive read operation. Output rendered to a terminal is capable of producing effects beyond the display of content. That is the position. The specific exploitation primitives, affected versions, and disclosure timeline are not confirmed by the input provided here, and will not be filled in.

The operational consequence is direct. Any workflow that depends on inspecting untrusted file content through a terminal is now suspect. This includes incident response triage on attacker-supplied artefacts, security review of files pulled from untrusted sources, log inspection where log lines originate from user input, and any automation that streams external content to a TTY. The boundary that was assumed to exist between viewing and executing must be re-examined.

The scope of this briefing is constrained. The stated facts are: the vulnerability class is referred to as MAD Bugs, and the example primitive is that cat readme.txt is not safe. Number of affected platforms, mechanism of code or control transfer, attacker prerequisites, and severity scoring are not confirmed. The remainder of this analysis operates within those limits.

2. The Original Assumption

The assumption being overturned is that file reading is a one-way data flow. Under this model, the terminal pulls bytes from a file and renders them. The reader has full agency. The file has none. The user controls the session. The file does not. Security review of a file is therefore considered a safe precondition to deciding what to do with it. This assumption underpins how analysts, engineers, and operators handle unknown content every day.

The assumption extends to tooling. cat, less, tail, and similar utilities are treated as inert. They are not run with sandboxing. They are not constrained by execution policy. They are invoked freely on attacker-controlled data because the operator believes the output channel is display-only. Whether the same assumption was held about utilities beyond cat is not confirmed by the input. The fact provided names only cat readme.txt.

The assumption is also organisational. Detection rules, allow-lists, and behavioural baselines focus on process execution, network egress, and credential use. File read events on local content are generally treated as low-signal. If reading a file does not constitute execution, there is no event of interest to record. Whether the MAD Bugs class produces observable telemetry on affected systems is not confirmed. That gap matters and is addressed by the operator position later in the briefing, which is out of scope for this section.

3. What Changed

The single fact that has changed is this: cat readme.txt is not safe. That sentence is small. The control implication is not. If the act of writing file bytes to a terminal can produce effects beyond rendering, then the terminal is not an output device in the way the operator model assumed. It is an interpreter. The exact interpretation surface, the conditions required to trigger it, and the resulting attacker capability are not confirmed by the input. The interpreter property is.

The trust boundary has moved. Previously, the boundary was at execution: the operator chose what to run, and reading was on the safe side of that line. Now the boundary is at content ingestion: any byte stream destined for a terminal must be treated as potentially active. The author of the bytes becomes a participant in the session. If the bytes originate from an untrusted source, the session is operating with untrusted input in a context that was not designed to validate it.

This also changes how compromise can propagate. A file dropped on disk by an earlier stage of an intrusion no longer requires the operator to execute it. It only requires the operator to look at it. Whether MAD Bugs supports persistence, lateral movement, privilege change, or session takeover is not confirmed by the facts provided. What is confirmed is that the act of viewing is no longer neutral, and any control model that depended on viewing being neutral is now operating on a false premise.

4. Mechanism of Failure or Drift

The failure is located at the boundary between file content and rendering channel. The operator model treats that boundary as one-directional. Bytes flow out of the file. The channel displays them. The channel is assumed to have no semantic engagement with what it receives. MAD Bugs invalidates that assumption for the case of cat readme.txt. The specific interpretation primitive inside the channel is not confirmed by the facts provided. The fact that an interpretation primitive exists is the necessary implication of the stated condition that the read is not safe.

The drift is between what operators believe cat does and what the full path from file to display actually does. cat itself is a byte-mover. The destination of those bytes is a terminal, and the terminal sits on top of layers that may act on specific byte sequences rather than render them. Whether the active surface is in the terminal emulator, the multiplexer, the shell, an installed extension, or some combination is not confirmed. What is confirmed is that the composition of cat plus the destination produces a path on which untrusted bytes are not inert.

This is a category error in the control model, not a coding defect that can be isolated to a single tool. Hardening cat does not close the failure if the interpretive surface lives downstream. Hardening the terminal does not close it if another viewer routes content through the same surface. The control failed because no control was deployed at the byte-ingestion boundary in the first place. There was no policy on what content could reach the renderer because the renderer was not modelled as a consumer of untrusted input. A control that does not exist cannot be ineffective. It is absent.

5. Expansion into Parallel Pattern

The pattern derivable strictly from MAD Bugs is this: when a channel that is treated as passive output also acts on specific patterns within its input, any process that streams untrusted content through that channel is invoking an interpreter without intending to. The read is the invocation. The bytes are the program. The operator is not in the loop because the operator does not believe a loop exists. This is the mechanism. It does not require a vulnerability in the producer. It requires only that the consumer interpret.

The same mechanism applies to any pipeline where an untrusted byte stream terminates at a renderer that has interpretive capability. A log viewer that processes control codes in log lines is the same pattern when the log lines come from external input. A diff tool that emits content from an attacker-controlled file to the same terminal is the same pattern. A pager invoked on an unknown artefact is the same pattern. The shared property is that the operator is choosing to read, and reading routes content into a surface that does more than display. Whether any of those specific tools are affected by MAD Bugs is not confirmed. The pattern is what generalises, not the target list.

The pattern also explains why detection is weak by default. Telemetry pipelines record process starts, network connections, and credential events. They do not record the content of bytes streamed to a TTY, and they do not record which subsequences of those bytes were interpreted as commands to the renderer rather than glyphs to the screen. The interpretive surface operates below the level at which most security tooling collects evidence. Whether MAD Bugs produces any observable artefact under existing telemetry is not confirmed. The structural reason such artefacts would be sparse is necessary from the mechanism.

6. Hard Closing Truth

Untrusted bytes must not reach a live terminal. That is the operator position. The historical assumption that viewing is safe is retired. Inspection of attacker-supplied or attacker-influenced content runs in an environment where the rendering channel cannot act on input. That means hex or byte-level dumps, sanitised views that strip control sequences before display, or isolated sessions whose interpretive surface has no authority over the operator’s primary session. The specific tooling choice is a local decision. The requirement that the rendering channel be neutralised is not.

Incident response procedures that involve cat, tail, less, or any equivalent on artefacts of unknown provenance are now defective procedures until they specify how the rendering channel is contained. Whether other utilities beyond cat are affected by MAD Bugs is not confirmed. The procedure cannot wait for that confirmation. The control model has to assume the interpretive surface is shared until proven otherwise, because the cost of assuming the other way is paid by the responder at the moment of triage. Identity is the boundary, and in this case the operator’s identity is the asset placed at the boundary every time an unknown file is opened.

Controls that are not enforced are not controls. A policy that says analysts will be careful with unknown files is not enforcement. Enforcement is a viewing path that is technically incapable of executing what it renders, applied to every channel where untrusted content can arrive. If the system allows a file to act on the session that opens it, files will act on sessions that open them. MAD Bugs is the present-tense version of that statement. Define the viewing path. Constrain the renderer. Treat every untrusted byte stream as untrusted input to an interpreter, because that is now what it is.