CWE-663
AllowedUse of a Non-reentrant Function in a Concurrent Context
Abstraction: Base · Status: Draft
The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.
2 vulnerabilities reference this CWE, most recent first.
CVE-2026-26201 (GCVE-0-2026-26201)
Vulnerability from cvelistv5 – Published: 2026-02-19 19:21 – Updated: 2026-02-19 21:22| URL | Tags |
|---|---|
| https://github.com/jm33-m0/emp3r0r/security/advis… | x_refsource_CONFIRM |
| https://github.com/jm33-m0/emp3r0r/commit/ea4d074… | x_refsource_MISC |
| https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:15:33.676053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:22:50.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "emp3r0r",
"vendor": "jm33-m0",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-663",
"description": "CWE-663: Use of a Non-reentrant Function in a Concurrent Context",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T19:21:05.691Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc"
},
{
"name": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5"
},
{
"name": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2"
}
],
"source": {
"advisory": "GHSA-f5p9-j34q-pwcc",
"discovery": "UNKNOWN"
},
"title": "emp3r0r Affected by Concurrent Map Access DoS (panic/crash)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26201",
"datePublished": "2026-02-19T19:21:05.691Z",
"dateReserved": "2026-02-11T19:56:24.813Z",
"dateUpdated": "2026-02-19T21:22:50.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-F5P9-J34Q-PWCC
Vulnerability from github – Published: 2026-02-17 21:27 – Updated: 2026-02-19 21:56Summary
Multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger fatal error: concurrent map read and map write, causing C2 process crash (availability loss).
Vulnerable Component(with code examples)
Operator relay map had mixed access patterns (iteration and mutation without a single lock policy):
// vulnerable pattern (operator session map)
for sessionID, op := range OPERATORS { // iteration path
...
}
// concurrent mutation path elsewhere
OPERATORS[operatorSession] = &operator_t{...}
delete(OPERATORS, operatorSession)
Port-forwarding session map had read/write paths guarded inconsistently:
// vulnerable pattern (port forward map)
if sess, ok := PortFwds[id]; ok { // read path
...
}
PortFwds[id] = newSession // write path
delete(PortFwds, id) // delete path
FTP stream map similarly mixed concurrent iteration with mutation:
// vulnerable pattern (FTP stream map)
for token, stream := range FTPStreams { // iteration path
...
}
FTPStreams[token] = stream // write path
delete(FTPStreams, token) // delete path
Attack Vector
- Attacker (or stress traffic in authenticated flows) triggers high concurrency in normal control paths.
- Operator sessions connect/disconnect while message forwarding and file-transfer workflows are active.
- Concurrent read/write hits shared maps.
- Go runtime panics with concurrent map read/write error.
- C2 component exits, producing denial of service.
Proof of Concept
- Start C2 server with active operator session(s) in a lab environment.
- Generate rapid operator session churn (connect/disconnect loops).
- Simultaneously drive agent message tunnel traffic and/or file transfer activity.
- Observe crash signature in logs:
fatal error: concurrent map read and map write. - Optional: run with race detector in dev build to confirm race locations.
Impact
- C2 service interruption due to process panic/crash.
- Operational instability under load or deliberate churn.
- Repeated crash-restart cycles can degrade command reliability and incident response workflows.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/jm33-m0/emp3r0r/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260212232424-ea4d074f081d"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26201"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-663"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T21:27:58Z",
"nvd_published_at": "2026-02-19T20:25:42Z",
"severity": "HIGH"
},
"details": "## Summary\n\nMultiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss).\n\n## Vulnerable Component(with code examples)\n\nOperator relay map had mixed access patterns (iteration and mutation without a single lock policy):\n\n```go\n// vulnerable pattern (operator session map)\nfor sessionID, op := range OPERATORS { // iteration path\n ...\n}\n\n// concurrent mutation path elsewhere\nOPERATORS[operatorSession] = \u0026operator_t{...}\ndelete(OPERATORS, operatorSession)\n```\n\nPort-forwarding session map had read/write paths guarded inconsistently:\n\n```go\n// vulnerable pattern (port forward map)\nif sess, ok := PortFwds[id]; ok { // read path\n ...\n}\n\nPortFwds[id] = newSession // write path\ndelete(PortFwds, id) // delete path\n```\n\nFTP stream map similarly mixed concurrent iteration with mutation:\n\n```go\n// vulnerable pattern (FTP stream map)\nfor token, stream := range FTPStreams { // iteration path\n ...\n}\n\nFTPStreams[token] = stream // write path\ndelete(FTPStreams, token) // delete path\n```\n\n## Attack Vector\n\n1. Attacker (or stress traffic in authenticated flows) triggers high concurrency in normal control paths.\n2. Operator sessions connect/disconnect while message forwarding and file-transfer workflows are active.\n3. Concurrent read/write hits shared maps.\n4. Go runtime panics with concurrent map read/write error.\n5. C2 component exits, producing denial of service.\n\n## Proof of Concept\n\n1. Start C2 server with active operator session(s) in a lab environment.\n2. Generate rapid operator session churn (connect/disconnect loops).\n3. Simultaneously drive agent message tunnel traffic and/or file transfer activity.\n4. Observe crash signature in logs: `fatal error: concurrent map read and map write`.\n5. Optional: run with race detector in dev build to confirm race locations.\n\n## Impact\n\n- C2 service interruption due to process panic/crash.\n- Operational instability under load or deliberate churn.\n- Repeated crash-restart cycles can degrade command reliability and incident response workflows.",
"id": "GHSA-f5p9-j34q-pwcc",
"modified": "2026-02-19T21:56:27Z",
"published": "2026-02-17T21:27:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26201"
},
{
"type": "WEB",
"url": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5"
},
{
"type": "PACKAGE",
"url": "https://github.com/jm33-m0/emp3r0r"
},
{
"type": "WEB",
"url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"type": "CVSS_V4"
}
],
"summary": "emp3r0r Affected by Concurrent Map Access DoS (panic/crash)"
}
Mitigation
Use reentrant functions if available.
Mitigation
Add synchronization to your non-reentrant function.
Mitigation
In Java, use the ReentrantLock Class.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.