Jan 3, 2026·5 min read·46 visits
OpenSSH's sshd calls unsafe functions (syslog) inside a signal handler. By winning a precise race condition, an attacker can corrupt the heap and gain unauthenticated root access. It takes about 6-8 hours of continuous attempts to exploit, but the result is a full system compromise.
A signal handler race condition in OpenSSH's server (sshd) allows unauthenticated remote attackers to achieve root code execution on glibc-based Linux systems. This is a regression of CVE-2006-5051, proving that code history repeats itself if you don't write regression tests.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenSSH OpenBSD | >= 8.5p1, < 9.8p1 | 9.8p1 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Port 22) |
| Complexity | High (Race Condition) |
| Privileges | None (Unauthenticated) |
| CVSS v3.1 | 8.1 (High) |
| CWE | CWE-364: Signal Handler Race Condition |
| Exploit Status | Proof of Concept Available |
The software executes a signal handler that calls a non-reentrant function, leading to undefined behavior or memory corruption.
CVE-2026-48708 details a critical concurrency synchronization flaw in OliveTin versions < 3000.13.0. A shared package-level text/template.Template instance is accessed concurrently across multiple goroutines without proper synchronization. When concurrent request processing occurs, a race condition causes Go runtime panics or command contamination across separate sessions, enabling denial of service or execution of contaminated commands.
A missing authorization vulnerability in the OliveTin system allows unauthenticated remote actors to query the ValidateArgumentType RPC endpoint. By exploiting this flaw, attackers can execute systematic brute-force and side-channel validation attacks to enumerate active action binding IDs, parameter structures, and operational metadata, bypassing configured guest authentication barriers.
An observable timing discrepancy vulnerability (CWE-208) in Filament's administrative login page allows unauthenticated remote attackers to determine the existence of registered email addresses. This timing side-channel arises from short-circuiting logic that skips expensive password hashing checks when a queried email address is not found in the database. Attackers can execute statistical timing attacks to map active administrator accounts, facilitating subsequent targeted brute-force or credential-stuffing campaigns.
Filament's ImageColumn (used in tables) and ImageEntry (used in infolists) components render database values inside HTML attributes without validation or sanitization. This allows an attacker to inject arbitrary HTML attributes, leading to Stored Cross-Site Scripting (XSS).
The Netty incubator codec for Oblivious HTTP (OHTTP) fails to verify that a cryptographically signed final chunk is received before the outer HTTP body terminates. This missing validation allows an on-path adversary to truncate chunked-OHTTP messages cleanly at a non-final chunk boundary, leading to undetected data truncation and compromising message integrity. The vulnerability affects multiple versions of the maven package io.netty.incubator:netty-incubator-codec-ohttp prior to 0.0.22.Final.
Prior to version 4.1.4, phpMyFAQ used the cryptographically broken SHA-1 algorithm to hash custom attachment encryption keys stored in the database. Attackers with database access can recover these plaintext keys through offline brute-force attacks and subsequently decrypt sensitive file attachments.