Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.0
Go Program Crashes When Shared Maps Are Accessed Concurrently
CVE-2026-26201
GHSA-f5p9-j34q-pwcc
Summary
A bug in some Go programs can cause them to crash when many users access shared data at the same time. This can happen when multiple parts of the program try to read and write to the same data simultaneously without proper control. To fix this, developers should ensure that shared data is accessed in a way that prevents concurrent reads and writes.
What to do
- Update github.com jm33-m0 to version 0.0.0-20260212232424-ea4d074f081d.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | jm33-m0 | <= 0.0.0-20260212232424-ea4d074f081d | 0.0.0-20260212232424-ea4d074f081d |
| jm33-m0 | emp3r0r | <= 3.21.2 | – |
Original title
emp3r0r Affected by Concurrent Map Access DoS (panic/crash)
Original description
## Summary
Multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss).
## Vulnerable Component(with code examples)
Operator relay map had mixed access patterns (iteration and mutation without a single lock policy):
```go
// vulnerable pattern (operator session map)
for sessionID, op := range OPERATORS { // iteration path
...
}
// concurrent mutation path elsewhere
OPERATORS[operatorSession] = &operator_t{...}
delete(OPERATORS, operatorSession)
```
Port-forwarding session map had read/write paths guarded inconsistently:
```go
// vulnerable pattern (port forward map)
if sess, ok := PortFwds[id]; ok { // read path
...
}
PortFwds[id] = newSession // write path
delete(PortFwds, id) // delete path
```
FTP stream map similarly mixed concurrent iteration with mutation:
```go
// vulnerable pattern (FTP stream map)
for token, stream := range FTPStreams { // iteration path
...
}
FTPStreams[token] = stream // write path
delete(FTPStreams, token) // delete path
```
## Attack Vector
1. Attacker (or stress traffic in authenticated flows) triggers high concurrency in normal control paths.
2. Operator sessions connect/disconnect while message forwarding and file-transfer workflows are active.
3. Concurrent read/write hits shared maps.
4. Go runtime panics with concurrent map read/write error.
5. C2 component exits, producing denial of service.
## Proof of Concept
1. Start C2 server with active operator session(s) in a lab environment.
2. Generate rapid operator session churn (connect/disconnect loops).
3. Simultaneously drive agent message tunnel traffic and/or file transfer activity.
4. Observe crash signature in logs: `fatal error: concurrent map read and map write`.
5. Optional: run with race detector in dev build to confirm race locations.
## Impact
- C2 service interruption due to process panic/crash.
- Operational instability under load or deliberate churn.
- Repeated crash-restart cycles can degrade command reliability and incident response workflows.
Multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss).
## Vulnerable Component(with code examples)
Operator relay map had mixed access patterns (iteration and mutation without a single lock policy):
```go
// vulnerable pattern (operator session map)
for sessionID, op := range OPERATORS { // iteration path
...
}
// concurrent mutation path elsewhere
OPERATORS[operatorSession] = &operator_t{...}
delete(OPERATORS, operatorSession)
```
Port-forwarding session map had read/write paths guarded inconsistently:
```go
// vulnerable pattern (port forward map)
if sess, ok := PortFwds[id]; ok { // read path
...
}
PortFwds[id] = newSession // write path
delete(PortFwds, id) // delete path
```
FTP stream map similarly mixed concurrent iteration with mutation:
```go
// vulnerable pattern (FTP stream map)
for token, stream := range FTPStreams { // iteration path
...
}
FTPStreams[token] = stream // write path
delete(FTPStreams, token) // delete path
```
## Attack Vector
1. Attacker (or stress traffic in authenticated flows) triggers high concurrency in normal control paths.
2. Operator sessions connect/disconnect while message forwarding and file-transfer workflows are active.
3. Concurrent read/write hits shared maps.
4. Go runtime panics with concurrent map read/write error.
5. C2 component exits, producing denial of service.
## Proof of Concept
1. Start C2 server with active operator session(s) in a lab environment.
2. Generate rapid operator session churn (connect/disconnect loops).
3. Simultaneously drive agent message tunnel traffic and/or file transfer activity.
4. Observe crash signature in logs: `fatal error: concurrent map read and map write`.
5. Optional: run with race detector in dev build to confirm race locations.
## Impact
- C2 service interruption due to process panic/crash.
- Operational instability under load or deliberate churn.
- Repeated crash-restart cycles can degrade command reliability and incident response workflows.
nvd CVSS3.1
7.5
nvd CVSS4.0
7.0
Vulnerability type
CWE-362
Race Condition
CWE-663
- https://nvd.nist.gov/vuln/detail/CVE-2026-26201
- https://github.com/advisories/GHSA-f5p9-j34q-pwcc
- https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5a... Patch
- https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2 Product Release Notes
- https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc Exploit Vendor Advisory
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026