<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-9323 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-9323/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 18 Jul 2026 14:23:20 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-9323/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-9323: Urwid Web Display Backend Session ID Prediction Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-urwid-session-id-prediction/</link><pubDate>Sat, 18 Jul 2026 14:23:20 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-urwid-session-id-prediction/</guid><description>A vulnerability, CVE-2026-9323, in the urwid web display backend (urwid/display/web.py) allows attackers to predict and hijack web session identifiers ('urwid_id') due to the use of a non-cryptographically secure pseudo-random number generator (Python's Mersenne Twister) and the exposure of these IDs as filenames in a world-listable `/tmp` directory, potentially leading to OS-level code execution or denial of service by injecting keystrokes or terminating sessions.</description><content:encoded><![CDATA[<p>CVE-2026-9323 describes a critical vulnerability in the urwid web display backend, specifically within <code>urwid/display/web.py</code>. The system generates web session identifiers, known as <code>urwid_id</code>, by concatenating two calls to <code>random.randrange(10**9)</code>. This process relies on Python's Mersenne Twister PRNG, which is not cryptographically secure. An attacker who observes approximately 334 such session IDs, for instance via the <code>X-Urwid-ID</code> HTTP response header, can fully reconstruct the PRNG's internal state (approximately 19,937 bits) and subsequently predict all past and future session IDs. Compounding this, the same <code>urwid_id</code> is used as the filename for a FIFO created in the world-listable <code>/tmp</code> directory (e.g., <code>/tmp/urwid375487765176907690.in</code>), allowing any local user to enumerate active session tokens directly. This vulnerability enables session hijacking, leading to the ability to read terminal screens, inject keystrokes for OS-level code execution, or cause denial of service by terminating or crashing sessions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker observes approximately 334 <code>urwid_id</code> session identifiers, typically via the <code>X-Urwid-ID</code> HTTP response header in network traffic.</li>
<li>Using the observed identifiers, the attacker reconstructs the internal state of Python's Mersenne Twister Pseudo-Random Number Generator (PRNG).</li>
<li>Based on the reconstructed PRNG state, the attacker can accurately predict past and future <code>urwid_id</code> session identifiers for any active urwid web session.</li>
<li>Alternatively, a local attacker on the host lists the world-listable <code>/tmp</code> directory to enumerate active session tokens directly from the FIFO filenames (e.g., <code>/tmp/urwid*.in</code>).</li>
<li>With a predicted or enumerated valid <code>urwid_id</code>, the attacker gains unauthorized access to the victim's urwid terminal session.</li>
<li>The attacker reads the victim's terminal screen content via the session's polling endpoint, potentially exfiltrating sensitive information.</li>
<li>The attacker injects keystrokes into the victim's session, which, if the session is running a shell, can lead to OS-level code execution with the privileges of the session owner.</li>
<li>As a final impact, the attacker can inject exit sequences or flood the session's associated FIFO file, causing the session to terminate or crash, resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-9323 can lead to severe consequences for affected urwid web display backend deployments. While specific victim counts are not available, any organization using the vulnerable version of urwid could be at risk. The primary impact includes unauthorized information disclosure through reading terminal screens, allowing attackers to view sensitive data. More critically, attackers can achieve OS-level code execution with the privileges of the compromised session owner, enabling data manipulation, further system compromise, or persistent access. Additionally, the vulnerability can be leveraged for denial of service by terminating or crashing user sessions, disrupting critical operations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-9323 by upgrading the urwid web display backend to a version that uses a cryptographically secure PRNG for session ID generation and addresses the <code>/tmp</code> directory exposure.</li>
<li>Implement host-based intrusion detection to monitor for suspicious access patterns to FIFO files within the <code>/tmp</code> directory, specifically those matching the <code>urwid*.in</code> filename pattern mentioned in CVE-2026-9323.</li>
<li>Monitor HTTP response headers for an unusually high volume of <code>X-Urwid-ID</code> headers being observed or collected by unauthorized systems, potentially indicating reconnaissance related to CVE-2026-9323.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-9323</category><category>session-hijacking</category><category>rce</category><category>prng-vulnerability</category><category>linux</category><category>macos</category></item></channel></rss>