Common Weakness Enumeration

CWE-663

Allowed

Use of a Non-reentrant Function in a Concurrent Context

Abstraction: Base · Status: Draft

The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.

2 vulnerabilities reference this CWE, most recent first.

CVE-2026-26201 (GCVE-0-2026-26201)

Vulnerability from cvelistv5 – Published: 2026-02-19 19:21 – Updated: 2026-02-19 21:22
VLAI
Title
emp3r0r Affected by Concurrent Map Access DoS (panic/crash)
Summary
emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-663 - Use of a Non-reentrant Function in a Concurrent Context
Assigner
Impacted products
Vendor Product Version
jm33-m0 emp3r0r Affected: < 3.21.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26201",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-19T21:15:33.676053Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-19T21:22:50.955Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "emp3r0r",
          "vendor": "jm33-m0",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.21.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-663",
              "description": "CWE-663: Use of a Non-reentrant Function in a Concurrent Context",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T19:21:05.691Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc"
        },
        {
          "name": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5"
        },
        {
          "name": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2"
        }
      ],
      "source": {
        "advisory": "GHSA-f5p9-j34q-pwcc",
        "discovery": "UNKNOWN"
      },
      "title": "emp3r0r Affected by Concurrent Map Access DoS (panic/crash)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26201",
    "datePublished": "2026-02-19T19:21:05.691Z",
    "dateReserved": "2026-02-11T19:56:24.813Z",
    "dateUpdated": "2026-02-19T21:22:50.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-F5P9-J34Q-PWCC

Vulnerability from github – Published: 2026-02-17 21:27 – Updated: 2026-02-19 21:56
VLAI
Summary
emp3r0r Affected by Concurrent Map Access DoS (panic/crash)
Details

Summary

Multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger fatal error: concurrent map read and map write, causing C2 process crash (availability loss).

Vulnerable Component(with code examples)

Operator relay map had mixed access patterns (iteration and mutation without a single lock policy):

// vulnerable pattern (operator session map)
for sessionID, op := range OPERATORS { // iteration path
    ...
}

// concurrent mutation path elsewhere
OPERATORS[operatorSession] = &operator_t{...}
delete(OPERATORS, operatorSession)

Port-forwarding session map had read/write paths guarded inconsistently:

// vulnerable pattern (port forward map)
if sess, ok := PortFwds[id]; ok { // read path
    ...
}

PortFwds[id] = newSession // write path
delete(PortFwds, id)      // delete path

FTP stream map similarly mixed concurrent iteration with mutation:

// vulnerable pattern (FTP stream map)
for token, stream := range FTPStreams { // iteration path
    ...
}

FTPStreams[token] = stream // write path
delete(FTPStreams, token)  // delete path

Attack Vector

  1. Attacker (or stress traffic in authenticated flows) triggers high concurrency in normal control paths.
  2. Operator sessions connect/disconnect while message forwarding and file-transfer workflows are active.
  3. Concurrent read/write hits shared maps.
  4. Go runtime panics with concurrent map read/write error.
  5. C2 component exits, producing denial of service.

Proof of Concept

  1. Start C2 server with active operator session(s) in a lab environment.
  2. Generate rapid operator session churn (connect/disconnect loops).
  3. Simultaneously drive agent message tunnel traffic and/or file transfer activity.
  4. Observe crash signature in logs: fatal error: concurrent map read and map write.
  5. Optional: run with race detector in dev build to confirm race locations.

Impact

  • C2 service interruption due to process panic/crash.
  • Operational instability under load or deliberate churn.
  • Repeated crash-restart cycles can degrade command reliability and incident response workflows.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/jm33-m0/emp3r0r/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260212232424-ea4d074f081d"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-663"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:27:58Z",
    "nvd_published_at": "2026-02-19T20:25:42Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nMultiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss).\n\n## Vulnerable Component(with code examples)\n\nOperator relay map had mixed access patterns (iteration and mutation without a single lock policy):\n\n```go\n// vulnerable pattern (operator session map)\nfor sessionID, op := range OPERATORS { // iteration path\n    ...\n}\n\n// concurrent mutation path elsewhere\nOPERATORS[operatorSession] = \u0026operator_t{...}\ndelete(OPERATORS, operatorSession)\n```\n\nPort-forwarding session map had read/write paths guarded inconsistently:\n\n```go\n// vulnerable pattern (port forward map)\nif sess, ok := PortFwds[id]; ok { // read path\n    ...\n}\n\nPortFwds[id] = newSession // write path\ndelete(PortFwds, id)      // delete path\n```\n\nFTP stream map similarly mixed concurrent iteration with mutation:\n\n```go\n// vulnerable pattern (FTP stream map)\nfor token, stream := range FTPStreams { // iteration path\n    ...\n}\n\nFTPStreams[token] = stream // write path\ndelete(FTPStreams, token)  // delete path\n```\n\n## Attack Vector\n\n1. Attacker (or stress traffic in authenticated flows) triggers high concurrency in normal control paths.\n2. Operator sessions connect/disconnect while message forwarding and file-transfer workflows are active.\n3. Concurrent read/write hits shared maps.\n4. Go runtime panics with concurrent map read/write error.\n5. C2 component exits, producing denial of service.\n\n## Proof of Concept\n\n1. Start C2 server with active operator session(s) in a lab environment.\n2. Generate rapid operator session churn (connect/disconnect loops).\n3. Simultaneously drive agent message tunnel traffic and/or file transfer activity.\n4. Observe crash signature in logs: `fatal error: concurrent map read and map write`.\n5. Optional: run with race detector in dev build to confirm race locations.\n\n## Impact\n\n- C2 service interruption due to process panic/crash.\n- Operational instability under load or deliberate churn.\n- Repeated crash-restart cycles can degrade command reliability and incident response workflows.",
  "id": "GHSA-f5p9-j34q-pwcc",
  "modified": "2026-02-19T21:56:27Z",
  "published": "2026-02-17T21:27:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26201"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jm33-m0/emp3r0r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "emp3r0r Affected by Concurrent Map Access DoS (panic/crash)"
}

Mitigation
Implementation

Use reentrant functions if available.

Mitigation
Implementation

Add synchronization to your non-reentrant function.

Mitigation
Implementation

In Java, use the ReentrantLock Class.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.