In tmux before version 3.1c the function input csi dispatch sgr colon() in file input.c contained a stack-based buffer-overflow that can be exploited by terminal output.