CWE-663
Use of a Non-reentrant Function in a Concurrent Context
The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.
CVE-2026-26201 (GCVE-0-2026-26201)
Vulnerability from cvelistv5 – Published: 2026-02-19 19:21 – Updated: 2026-02-19 21:22
VLAI?
Title
emp3r0r Affected by Concurrent Map Access DoS (panic/crash)
Summary
emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:15:33.676053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:22:50.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "emp3r0r",
"vendor": "jm33-m0",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-663",
"description": "CWE-663: Use of a Non-reentrant Function in a Concurrent Context",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T19:21:05.691Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc"
},
{
"name": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5"
},
{
"name": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2"
}
],
"source": {
"advisory": "GHSA-f5p9-j34q-pwcc",
"discovery": "UNKNOWN"
},
"title": "emp3r0r Affected by Concurrent Map Access DoS (panic/crash)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26201",
"datePublished": "2026-02-19T19:21:05.691Z",
"dateReserved": "2026-02-11T19:56:24.813Z",
"dateUpdated": "2026-02-19T21:22:50.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- Use reentrant functions if available.
Mitigation
Phase: Implementation
Description:
- Add synchronization to your non-reentrant function.
Mitigation
Phase: Implementation
Description:
- In Java, use the ReentrantLock Class.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.