CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2024-6387

CVE-2024-6387: regreSSHion - Time is a Flat Circle (of Root Shells)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 3, 2026·5 min read·45 visits

Executive Summary (TL;DR)

OpenSSH's sshd calls unsafe functions (syslog) inside a signal handler. By winning a precise race condition, an attacker can corrupt the heap and gain unauthenticated root access. It takes about 6-8 hours of continuous attempts to exploit, but the result is a full system compromise.

A signal handler race condition in OpenSSH's server (sshd) allows unauthenticated remote attackers to achieve root code execution on glibc-based Linux systems. This is a regression of CVE-2006-5051, proving that code history repeats itself if you don't write regression tests.

Official Patches

OpenSSHOfficial Release Notes
UbuntuUbuntu Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
4.20%
Top 15% most exploited
14,000,000
via Shodan

Affected Systems

OpenSSH servers running on glibc-based Linux systemsVersions 8.5p1 through 9.7p1

Affected Versions Detail

Product
Affected Versions
Fixed Version
OpenSSH
OpenBSD
>= 8.5p1, < 9.8p19.8p1
AttributeDetail
Attack VectorNetwork (Port 22)
ComplexityHigh (Race Condition)
PrivilegesNone (Unauthenticated)
CVSS v3.18.1 (High)
CWECWE-364: Signal Handler Race Condition
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-364
Signal Handler Race Condition

The software executes a signal handler that calls a non-reentrant function, leading to undefined behavior or memory corruption.

Known Exploits & Detection

QualysOriginal technical advisory and PoC strategy
NucleiDetection Template Available

Vulnerability Timeline

Vulnerability Disclosed by Qualys
2024-07-01
OpenSSH 9.8p1 Released
2024-07-01
Added to CISA KEV
2024-07-08

References & Sources

  • [1]Qualys Research Blog
Related Vulnerabilities
CVE-2006-5051

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 3 hours ago•GHSA-534H-C3CW-V3H9
5.5

GHSA-534h-c3cw-v3h9: Local Information Disclosure via Abstract-Namespace Socket in Nuxt Dev Server

A local security vulnerability in the Nuxt development server (nuxt dev) allows local unprivileged users to access sensitive configuration files and source code. On Linux environments running Node.js 20+, Nuxt bound its internal vite-node IPC server to an abstract-namespace Unix socket without any peer authentication, enabling co-resident local users to connect and request module code directly.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 3 hours ago•GHSA-8RFP-98V4-MMR6
0.0

GHSA-8RFP-98V4-MMR6: Protocol-Filtering Bypass via Unicode Obfuscation in Mozilla Bleach

Mozilla Bleach is an open-source HTML sanitizing library for Python. Versions up to and including 6.3.0 contain an incomplete filtering implementation in the URI validation logic ('sanitize_uri_value'). This logic fails to detect disallowed protocols, such as 'javascript:', if they contain Unicode invisible characters, whitespace characters, or characters with a code point greater than U+00A0. While standard-compliant web browsers do not directly execute invalid URI schemes containing these non-standard characters, downstream systems that normalize Unicode text by stripping invisible or non-ASCII characters can unintentionally reactivate the 'javascript:' prefix, causing Cross-Site Scripting (XSS). Additionally, this behavior violates Bleach's core sanitization contract by outputting URIs that bypass protocol allowlists configured by the caller.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 4 hours ago•GHSA-G75F-G53V-794X
4.3

GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach

An uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When `parse_email=True` is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 4 hours ago•GHSA-GR75-JV2W-4656
4.7

GHSA-GR75-JV2W-4656: Path Traversal and Sandbox Escape in LangChain File-Search Middleware and Loaders

A path traversal and sandbox escape vulnerability in LangChain and LangChain-Anthropic Python packages allows unauthenticated local attackers to access files outside the restricted directory via crafted input, symbolic links, or prefix bypasses.

Alon Barad
Alon Barad
3 views•8 min read
•about 5 hours ago•GHSA-M557-WRGG-6RP4
5.8

GHSA-m557-wrgg-6rp4: Server-Side Request Forgery via Authority Information Access (AIA) Chasing in phpseclib

The PHP Secure Communications Library (phpseclib) contains a Server-Side Request Forgery (SSRF) vulnerability due to an insecure default implementation of Authority Information Access (AIA) certificate chasing. This flaw allows remote, unauthenticated attackers to coerce applications validating user-supplied X.509 certificates into generating arbitrary outbound HTTP requests to internal networks or local interfaces.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 5 hours ago•CVE-2026-45491
6.2

CVE-2026-45491: Directory Traversal via Improper Link Resolution in .NET System.Formats.Tar

A directory traversal vulnerability exists in the Microsoft .NET System.Formats.Tar library during archive extraction. When extracting a TAR archive using the TarFile.ExtractToDirectory API, the extraction engine improperly resolves symbolic links prior to file creation, allowing local unauthorized attackers to write or overwrite arbitrary files outside the target directory. This can lead to local tampering, privilege escalation, or arbitrary code execution.

Amit Schendel
Amit Schendel
8 views•6 min read