CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2008-4109

CVE-2008-4109: The Zombie Deadlock — When Logging Kills Your SSH Daemon

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 2, 2026·6 min read·29 visits

Executive Summary (TL;DR)

In 2008, multiple Linux distributions patched an OpenSSH vulnerability but accidentally introduced a deadlock condition. By calling `syslog()` inside a `SIGALRM` handler, `sshd` processes could hang indefinitely if interrupted while logging. Attackers could exhaust connection slots (`MaxStartups`), causing a total Denial of Service. This pattern resurfaced in 2024 as CVE-2024-6387, proving that dead code eventually comes back to bite.

A deep dive into a notorious signal handler race condition in OpenSSH that turns security logging into a Denial of Service weapon. This vulnerability highlights the perils of non-async-signal-safe functions and serves as the direct ancestor to the 2024 'regreSSHion' RCE.

Official Patches

UbuntuUbuntu Security Notice USN-649-1
DebianDebian Security Tracker

Technical Appendix

CVSS Score
7.8/ 10
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
EPSS Probability
0.34%
Top 99% most exploited

Affected Systems

Debian Etch (4.0)Debian Sid/LennyUbuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSSUSE Linux Enterprise

Affected Versions Detail

Product
Affected Versions
Fixed Version
openssh-server
Debian
< 4.3p2-9etch34.3p2-9etch3
openssh-server
Canonical
Ubuntu 8.04 LTS < USN-649-1USN-649-1
AttributeDetail
CWE IDCWE-364 (Signal Handler Race Condition)
Attack VectorNetwork (AV:N)
CVSS Score7.8 (High)
ImpactDenial of Service (DoS) / Deadlock
Privileges RequiredNone (Pre-auth)
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1498Network Denial of Service
Impact
T1499Endpoint Denial of Service
Impact
CWE-364
Signal Handler Race Condition

The software handles a signal in a way that causes the software to enter a state in which it is no longer responsive.

Known Exploits & Detection

ExploitDBOpenSSH (Debian/Ubuntu) - Denial of Service Exploit

Vulnerability Timeline

CVE-2006-5051 discovered (Original Signal Race)
2006-09-28
Distributions patch 2006-5051 but introduce deadlock (CVE-2008-4109)
2008-09-00
Public disclosure and fixes for CVE-2008-4109
2008-09-28
Qualys discloses regreSSHion (CVE-2024-6387), linking back to 2008-4109
2024-07-01

References & Sources

  • [1]Qualys Security Advisory: regreSSHion (Discusses history of 2008-4109)
  • [2]NVD - CVE-2008-4109
Related Vulnerabilities
CVE-2006-5051CVE-2024-6387

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 8 hours ago•CVE-2026-48166
5.3

CVE-2026-48166: Timing-Based User Enumeration on Login Page in Filament

An observable timing discrepancy vulnerability (CWE-208) in Filament's administrative login page allows unauthenticated remote attackers to determine the existence of registered email addresses. This timing side-channel arises from short-circuiting logic that skips expensive password hashing checks when a queried email address is not found in the database. Attackers can execute statistical timing attacks to map active administrator accounts, facilitating subsequent targeted brute-force or credential-stuffing campaigns.

Alon Barad
Alon Barad
7 views•6 min read
•about 9 hours ago•CVE-2026-48167
6.4

CVE-2026-48167: Stored Cross-Site Scripting (XSS) via Attribute Injection in Filament ImageColumn and ImageEntry

Filament's ImageColumn (used in tables) and ImageEntry (used in infolists) components render database values inside HTML attributes without validation or sanitization. This allows an attacker to inject arbitrary HTML attributes, leading to Stored Cross-Site Scripting (XSS).

Amit Schendel
Amit Schendel
9 views•5 min read
•about 9 hours ago•CVE-2026-48480
6.6

CVE-2026-48480: Undetected Stream Truncation in netty-incubator-codec-ohttp

The Netty incubator codec for Oblivious HTTP (OHTTP) fails to verify that a cryptographically signed final chunk is received before the outer HTTP body terminates. This missing validation allows an on-path adversary to truncate chunked-OHTTP messages cleanly at a non-final chunk boundary, leading to undetected data truncation and compromising message integrity. The vulnerability affects multiple versions of the maven package io.netty.incubator:netty-incubator-codec-ohttp prior to 0.0.22.Final.

Alon Barad
Alon Barad
6 views•7 min read
•about 10 hours ago•CVE-2026-48488
2.7

CVE-2026-48488: Weak Cryptographic Hash (SHA-1) Usage for Attachment Encryption Keys in phpMyFAQ

Prior to version 4.1.4, phpMyFAQ used the cryptographically broken SHA-1 algorithm to hash custom attachment encryption keys stored in the database. Attackers with database access can recover these plaintext keys through offline brute-force attacks and subsequently decrypt sensitive file attachments.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 10 hours ago•CVE-2026-48493
5.5

CVE-2026-48493: Self-Privilege Escalation via Profile Modification in Snipe-IT

A privilege escalation vulnerability in Snipe-IT versions prior to 8.6.0 allows authenticated users with profile-editing capabilities to elevate their own permissions by performing a PATCH request on their own user endpoint.

Amit Schendel
Amit Schendel
7 views•5 min read
•about 11 hours ago•CVE-2026-48500
6.5

CVE-2026-48500: Unauthenticated File Upload and Resource Exhaustion in Filament Admins

CVE-2026-48500 is an authorization bypass vulnerability within Filament, a full-stack Laravel administration panel suite. The flaw arises from the unauthenticated exposure of Livewire's file upload RPC endpoints on guest-facing pages, allowing remote actors to upload arbitrary files to temporary storage, potentially leading to storage exhaustion and service disruption.

Alon Barad
Alon Barad
7 views•7 min read