{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-9323/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-9323"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["urwid web display backend"],"_cs_severities":["high"],"_cs_tags":["cve-2026-9323","session-hijacking","rce","prng-vulnerability","linux","macos"],"_cs_type":"advisory","_cs_vendors":["Urwid"],"content_html":"\u003cp\u003eCVE-2026-9323 describes a critical vulnerability in the urwid web display backend, specifically within \u003ccode\u003eurwid/display/web.py\u003c/code\u003e. The system generates web session identifiers, known as \u003ccode\u003eurwid_id\u003c/code\u003e, by concatenating two calls to \u003ccode\u003erandom.randrange(10**9)\u003c/code\u003e. This process relies on Python's Mersenne Twister PRNG, which is not cryptographically secure. An attacker who observes approximately 334 such session IDs, for instance via the \u003ccode\u003eX-Urwid-ID\u003c/code\u003e HTTP response header, can fully reconstruct the PRNG's internal state (approximately 19,937 bits) and subsequently predict all past and future session IDs. Compounding this, the same \u003ccode\u003eurwid_id\u003c/code\u003e is used as the filename for a FIFO created in the world-listable \u003ccode\u003e/tmp\u003c/code\u003e directory (e.g., \u003ccode\u003e/tmp/urwid375487765176907690.in\u003c/code\u003e), allowing any local user to enumerate active session tokens directly. This vulnerability enables session hijacking, leading to the ability to read terminal screens, inject keystrokes for OS-level code execution, or cause denial of service by terminating or crashing sessions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker observes approximately 334 \u003ccode\u003eurwid_id\u003c/code\u003e session identifiers, typically via the \u003ccode\u003eX-Urwid-ID\u003c/code\u003e HTTP response header in network traffic.\u003c/li\u003e\n\u003cli\u003eUsing the observed identifiers, the attacker reconstructs the internal state of Python's Mersenne Twister Pseudo-Random Number Generator (PRNG).\u003c/li\u003e\n\u003cli\u003eBased on the reconstructed PRNG state, the attacker can accurately predict past and future \u003ccode\u003eurwid_id\u003c/code\u003e session identifiers for any active urwid web session.\u003c/li\u003e\n\u003cli\u003eAlternatively, a local attacker on the host lists the world-listable \u003ccode\u003e/tmp\u003c/code\u003e directory to enumerate active session tokens directly from the FIFO filenames (e.g., \u003ccode\u003e/tmp/urwid*.in\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWith a predicted or enumerated valid \u003ccode\u003eurwid_id\u003c/code\u003e, the attacker gains unauthorized access to the victim's urwid terminal session.\u003c/li\u003e\n\u003cli\u003eThe attacker reads the victim's terminal screen content via the session's polling endpoint, potentially exfiltrating sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker injects keystrokes into the victim's session, which, if the session is running a shell, can lead to OS-level code execution with the privileges of the session owner.\u003c/li\u003e\n\u003cli\u003eAs a final impact, the attacker can inject exit sequences or flood the session's associated FIFO file, causing the session to terminate or crash, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9323 can lead to severe consequences for affected urwid web display backend deployments. While specific victim counts are not available, any organization using the vulnerable version of urwid could be at risk. The primary impact includes unauthorized information disclosure through reading terminal screens, allowing attackers to view sensitive data. More critically, attackers can achieve OS-level code execution with the privileges of the compromised session owner, enabling data manipulation, further system compromise, or persistent access. Additionally, the vulnerability can be leveraged for denial of service by terminating or crashing user sessions, disrupting critical operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-9323 by upgrading the urwid web display backend to a version that uses a cryptographically secure PRNG for session ID generation and addresses the \u003ccode\u003e/tmp\u003c/code\u003e directory exposure.\u003c/li\u003e\n\u003cli\u003eImplement host-based intrusion detection to monitor for suspicious access patterns to FIFO files within the \u003ccode\u003e/tmp\u003c/code\u003e directory, specifically those matching the \u003ccode\u003eurwid*.in\u003c/code\u003e filename pattern mentioned in CVE-2026-9323.\u003c/li\u003e\n\u003cli\u003eMonitor HTTP response headers for an unusually high volume of \u003ccode\u003eX-Urwid-ID\u003c/code\u003e headers being observed or collected by unauthorized systems, potentially indicating reconnaissance related to CVE-2026-9323.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T14:23:20Z","date_published":"2026-07-18T14:23:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-urwid-session-id-prediction/","summary":"A vulnerability, CVE-2026-9323, in the urwid web display backend (urwid/display/web.py) allows attackers to predict and hijack web session identifiers ('urwid_id') due to the use of a non-cryptographically secure pseudo-random number generator (Python's Mersenne Twister) and the exposure of these IDs as filenames in a world-listable `/tmp` directory, potentially leading to OS-level code execution or denial of service by injecting keystrokes or terminating sessions.","title":"CVE-2026-9323: Urwid Web Display Backend Session ID Prediction Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-urwid-session-id-prediction/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-9323","version":"https://jsonfeed.org/version/1.1"}