CVE-2026-26201

Name of the Vulnerable Software and Affected Versions emp3r0r versions prior to 3.21.2

Description The software accesses multiple shared maps without consistent synchronization across goroutines. Concurrent activity can trigger a fatal error: concurrent map read and map write, leading to a C2 process crash and resulting in availability loss. The issue stems from mixed access patterns (iteration and mutation) without a single lock policy in maps such as the operator session map, port-forwarding session map, and FTP stream map. An attacker can trigger high concurrency, such as through rapid operator session churn and simultaneous agent message traffic, to exploit this condition. This results in a denial of service as the C2 component exits due to the panic.

Recommendations Versions prior to 3.21.2 should be updated to version 3.21.2 or later.