Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-26201

Good to know:

icon
icon

Date: February 18, 2026

Summary Multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger "fatal error: concurrent map read and map write", causing C2 process crash (availability loss). Vulnerable Component(with code examples) Operator relay map had mixed access patterns (iteration and mutation without a single lock policy): // vulnerable pattern (operator session map) for sessionID, op := range OPERATORS { // iteration path ... } // concurrent mutation path elsewhere OPERATORS[operatorSession] = &operator_t{...} delete(OPERATORS, operatorSession) Port-forwarding session map had read/write paths guarded inconsistently: // vulnerable pattern (port forward map) if sess, ok := PortFwds[id]; ok { // read path ... } PortFwds[id] = newSession // write path delete(PortFwds, id) // delete path FTP stream map similarly mixed concurrent iteration with mutation: // vulnerable pattern (FTP stream map) for token, stream := range FTPStreams { // iteration path ... } FTPStreams[token] = stream // write path delete(FTPStreams, token) // delete path Attack Vector 1. Attacker (or stress traffic in authenticated flows) triggers high concurrency in normal control paths. 2. Operator sessions connect/disconnect while message forwarding and file-transfer workflows are active. 3. Concurrent read/write hits shared maps. 4. Go runtime panics with concurrent map read/write error. 5. C2 component exits, producing denial of service. Proof of Concept 6. Start C2 server with active operator session(s) in a lab environment. 7. Generate rapid operator session churn (connect/disconnect loops). 8. Simultaneously drive agent message tunnel traffic and/or file transfer activity. 9. Observe crash signature in logs: "fatal error: concurrent map read and map write". 10. Optional: run with race detector in dev build to confirm race locations. Impact - C2 service interruption due to process panic/crash. - Operational instability under load or deliberate churn. - Repeated crash-restart cycles can degrade command reliability and incident response workflows.

Severity Score

Related Resources (6)

https://github.com/jm33-m0/emp3r0r
https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5
https://nvd.nist.gov/vuln/detail/CVE-2026-26201
https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc
https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2
https://www.mend.io/vulnerability-database/CVE-2026-26201

Severity Score

Weakness Type (CWE)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

Use of a Non-reentrant Function in a Concurrent Context

CWE-663

Top Fix

icon

Upgrade Version

Upgrade to version github.com/jm33-m0/emp3r0r/core - v0.0.0-20260212232424-ea4d074f081d;https://github.com/jm33-m0/emp3r0r.git - v3.21.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us