CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2024-6387

CVE-2024-6387: regreSSHion - Time is a Flat Circle (of Root Shells)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 3, 2026·5 min read·46 visits

Executive Summary (TL;DR)

OpenSSH's sshd calls unsafe functions (syslog) inside a signal handler. By winning a precise race condition, an attacker can corrupt the heap and gain unauthenticated root access. It takes about 6-8 hours of continuous attempts to exploit, but the result is a full system compromise.

A signal handler race condition in OpenSSH's server (sshd) allows unauthenticated remote attackers to achieve root code execution on glibc-based Linux systems. This is a regression of CVE-2006-5051, proving that code history repeats itself if you don't write regression tests.

Official Patches

OpenSSHOfficial Release Notes
UbuntuUbuntu Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
4.20%
Top 15% most exploited
14,000,000
via Shodan

Affected Systems

OpenSSH servers running on glibc-based Linux systemsVersions 8.5p1 through 9.7p1

Affected Versions Detail

Product
Affected Versions
Fixed Version
OpenSSH
OpenBSD
>= 8.5p1, < 9.8p19.8p1
AttributeDetail
Attack VectorNetwork (Port 22)
ComplexityHigh (Race Condition)
PrivilegesNone (Unauthenticated)
CVSS v3.18.1 (High)
CWECWE-364: Signal Handler Race Condition
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-364
Signal Handler Race Condition

The software executes a signal handler that calls a non-reentrant function, leading to undefined behavior or memory corruption.

Known Exploits & Detection

QualysOriginal technical advisory and PoC strategy
NucleiDetection Template Available

Vulnerability Timeline

Vulnerability Disclosed by Qualys
2024-07-01
OpenSSH 9.8p1 Released
2024-07-01
Added to CISA KEV
2024-07-08

References & Sources

  • [1]Qualys Research Blog
Related Vulnerabilities
CVE-2006-5051

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 3 hours ago•CVE-2026-48708
7.5

CVE-2026-48708: Concurrent Template Parsing Race Condition in OliveTin leading to Cross-Request Command Contamination

CVE-2026-48708 details a critical concurrency synchronization flaw in OliveTin versions < 3000.13.0. A shared package-level text/template.Template instance is accessed concurrently across multiple goroutines without proper synchronization. When concurrent request processing occurs, a race condition causes Go runtime panics or command contamination across separate sessions, enabling denial of service or execution of contaminated commands.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 4 hours ago•CVE-2026-48709
3.7

CVE-2026-48709: Missing Authorization in OliveTin ValidateArgumentType RPC Endpoint

A missing authorization vulnerability in the OliveTin system allows unauthenticated remote actors to query the ValidateArgumentType RPC endpoint. By exploiting this flaw, attackers can execute systematic brute-force and side-channel validation attacks to enumerate active action binding IDs, parameter structures, and operational metadata, bypassing configured guest authentication barriers.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 15 hours ago•CVE-2026-48166
5.3

CVE-2026-48166: Timing-Based User Enumeration on Login Page in Filament

An observable timing discrepancy vulnerability (CWE-208) in Filament's administrative login page allows unauthenticated remote attackers to determine the existence of registered email addresses. This timing side-channel arises from short-circuiting logic that skips expensive password hashing checks when a queried email address is not found in the database. Attackers can execute statistical timing attacks to map active administrator accounts, facilitating subsequent targeted brute-force or credential-stuffing campaigns.

Alon Barad
Alon Barad
7 views•6 min read
•about 16 hours ago•CVE-2026-48167
6.4

CVE-2026-48167: Stored Cross-Site Scripting (XSS) via Attribute Injection in Filament ImageColumn and ImageEntry

Filament's ImageColumn (used in tables) and ImageEntry (used in infolists) components render database values inside HTML attributes without validation or sanitization. This allows an attacker to inject arbitrary HTML attributes, leading to Stored Cross-Site Scripting (XSS).

Amit Schendel
Amit Schendel
9 views•5 min read
•about 16 hours ago•CVE-2026-48480
6.6

CVE-2026-48480: Undetected Stream Truncation in netty-incubator-codec-ohttp

The Netty incubator codec for Oblivious HTTP (OHTTP) fails to verify that a cryptographically signed final chunk is received before the outer HTTP body terminates. This missing validation allows an on-path adversary to truncate chunked-OHTTP messages cleanly at a non-final chunk boundary, leading to undetected data truncation and compromising message integrity. The vulnerability affects multiple versions of the maven package io.netty.incubator:netty-incubator-codec-ohttp prior to 0.0.22.Final.

Alon Barad
Alon Barad
6 views•7 min read
•about 17 hours ago•CVE-2026-48488
2.7

CVE-2026-48488: Weak Cryptographic Hash (SHA-1) Usage for Attachment Encryption Keys in phpMyFAQ

Prior to version 4.1.4, phpMyFAQ used the cryptographically broken SHA-1 algorithm to hash custom attachment encryption keys stored in the database. Attackers with database access can recover these plaintext keys through offline brute-force attacks and subsequently decrypt sensitive file attachments.

Amit Schendel
Amit Schendel
6 views•7 min read