{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26201", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-11T19:56:24.813Z", "datePublished": "2026-02-19T19:21:05.691Z", "dateUpdated": "2026-02-19T21:22:50.955Z"}, "containers": {"cna": {"title": "emp3r0r Affected by Concurrent Map Access DoS (panic/crash)", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-663", "lang": "en", "description": "CWE-663: Use of a Non-reentrant Function in a Concurrent Context", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc"}, {"name": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5", "tags": ["x_refsource_MISC"], "url": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5"}, {"name": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2"}], "affected": [{"vendor": "jm33-m0", "product": "emp3r0r", "versions": [{"version": "< 3.21.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:21:05.691Z"}, "descriptions": [{"lang": "en", "value": "emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue."}], "source": {"advisory": "GHSA-f5p9-j34q-pwcc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:15:33.676053Z", "id": "CVE-2026-26201", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:22:50.955Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26201", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:15:33.676053Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:15:35.276Z"}}], "cna": {"title": "emp3r0r Affected by Concurrent Map Access DoS (panic/crash)", "source": {"advisory": "GHSA-f5p9-j34q-pwcc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "jm33-m0", "product": "emp3r0r", "versions": [{"status": "affected", "version": "< 3.21.2"}]}], "references": [{"url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc", "name": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5", "name": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2", "name": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-663", "description": "CWE-663: Use of a Non-reentrant Function in a Concurrent Context"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:21:05.691Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26201", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:22:50.955Z", "dateReserved": "2026-02-11T19:56:24.813Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T19:21:05.691Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jm33-m0:emp3r0r:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CC7F922-080A-4112-9443-0E0891F9272F", "versionEndExcluding": "3.21.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue."}], "id": "CVE-2026-26201", "lastModified": "2026-02-26T02:51:06.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T20:25:42.770", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-663"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.21.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "emp3r0r", "source": "cna", "vendor": "jm33-m0"}, "product": "emp3r0r", "vendor": "jm33-m0"}], "analysis": {"en": {"generated_at": "2026-04-17T17:57:06.875925+00:00", "value": {"mitigation_remediation": ["Upgrade emp3r0r to version 3.21.2 or later", "Ensure all running instances are updated before restarting activities", "If upgrade is delayed, throttle concurrent commands or configure serial processing to avoid map contention"], "summary": {"action": "Apply Patch", "impact": "Denial of Service (Availability Loss)"}, "threat_synthesis": {"affected_systems": "The bug appears in all releases of emp3r0r before v3.21.2. The affected product is the command\u2011and\u2011control framework developed by jm33-m0 (username). All systems running a vulnerable version are susceptible to crash under concurrent map access.", "description_and_impact": "Emp3r0r is a command\u2011and\u2011control tool written in Go that uses shared maps across goroutines. Prior to version 3.21.2, the tool does not guard concurrent reads and writes against these maps, creating a race condition that can trigger the Go runtime fatal error \"concurrent map read and map write\". When this occurs the C2 process panics and terminates, resulting in a loss of availability for the compromised host. This vulnerability is a classic race\u2011condition flaw (CWE\u2011362/CWE\u2011663).", "risk_and_exploitability": "The CVSS score of 7 indicates high severity. EPSS is less than 1%, suggesting exploitation is unlikely but not impossible. The CWE identifiers point to a race condition that requires concurrent goroutine activity. Attackers would typically need to trigger a high\u2011concurrency scenario within the C2 process; external network traffic alone may not be sufficient. The vulnerability is not listed in the CISA KEV catalog, meaning no public exploits have been observed yet. The risk remains for systems running older emp3r0r versions that cannot be immediately patched."}}}}, "created": "2026-02-20T09:54:16.045062+00:00", "updated": "2026-04-17T18:00:12.191486+00:00", "vendors": ["jm33-m0", "jm33-m0$PRODUCT$emp3r0r"]}