Cyber Resilience

CVE-2026-26201

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 14.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26201 is a high-severity Race Condition (CWE-362) vulnerability in Jm33-M0 Emp3R0R. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26201 is a concurrency vulnerability in emp3r0r, an open-source command-and-control (C2) framework designed for Linux environments. In versions prior to 3.21.2, multiple shared maps are accessed without proper synchronization across goroutines, leading to a race condition. Under concurrent activity, the Go runtime triggers a fatal error ("concurrent map read and map write"), causing the C2 process to crash and resulting in a loss of availability. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) and CWE-663 (Use of a Non-reentrant Function in a Concurrent Context). It was published on 2026-02-19.

The vulnerability can be exploited remotely by any unauthenticated attacker over the network with low complexity and no user interaction required. Attackers can trigger concurrent activity to induce the race condition, reliably crashing the emp3r0r C2 server process and denying service to its operators. While it does not enable confidentiality or integrity impacts, the availability disruption could interrupt ongoing malicious operations managed through the C2 framework.

Mitigation is available in emp3r0r version 3.21.2, which addresses the synchronization issue. Security practitioners should upgrade to this version if using emp3r0r. Relevant resources include the fixing commit (https://github.com/jm33-m0/emp3r0r/commit/ea4d074f081dac6293f3aec38f01def5f08d5af5), release notes (https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.2), and GitHub security advisory (https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-f5p9-j34q-pwcc).

EU & UK References

Vulnerability details

emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`,…

more

causing C2 process crash (availability loss). Version 3.21.2 fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of the race condition directly triggers application crash/DoS on the C2 server process, matching T1499.004 (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26068Same product: Jm33-M0 Emp3R0R
CVE-2026-42594Shared CWE-362
CVE-2025-21701Shared CWE-362
CVE-2025-30444Shared CWE-362
CVE-2026-34851Shared CWE-362
CVE-2026-41458Shared CWE-362
CVE-2026-28986Shared CWE-362
CVE-2026-34856Shared CWE-362
CVE-2026-46727Shared CWE-362
CVE-2025-43244Shared CWE-362

Affected Assets

jm33-m0
emp3r0r
≤ 3.21.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the race condition vulnerability by requiring timely flaw remediation through upgrading to emp3r0r version 3.21.2.

preventdetect

Protects against remote network-triggered denial-of-service exploits that induce concurrent activity causing the C2 process to crash.

prevent

Ensures availability of critical resources like the emp3r0r C2 process by safeguarding against concurrency-induced failures.

References