CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2903 vulnerabilities reference this CWE, most recent first.
GHSA-5F38-RVXW-PGXX
Vulnerability from github – Published: 2022-05-14 01:34 – Updated: 2022-05-14 01:34In run of InstallPackageTask.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, it is possible that package verification is turned off and remains off due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-116754444.
{
"affected": [],
"aliases": [
"CVE-2018-9586"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-11T23:29:00Z",
"severity": "HIGH"
},
"details": "In run of InstallPackageTask.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, it is possible that package verification is turned off and remains off due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-116754444.",
"id": "GHSA-5f38-rvxw-pgxx",
"modified": "2022-05-14T01:34:50Z",
"published": "2022-05-14T01:34:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9586"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2019-01-01.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106495"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5F4R-G29M-JW8Q
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 series devices allows physically present attackers to extract the device's protected firmware via a special sequence of Serial Wire Debug (SWD) commands because there is a race condition between full initialization of the SWD interface and the setup of flash protection.
{
"affected": [],
"aliases": [
"CVE-2017-18347"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-12T15:29:00Z",
"severity": "MODERATE"
},
"details": "Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 series devices allows physically present attackers to extract the device\u0027s protected firmware via a special sequence of Serial Wire Debug (SWD) commands because there is a race condition between full initialization of the SWD interface and the setup of flash protection.",
"id": "GHSA-5f4r-g29m-jw8q",
"modified": "2022-05-13T01:10:26Z",
"published": "2022-05-13T01:10:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18347"
},
{
"type": "WEB",
"url": "https://community.st.com/s/question/0D50X00009Xke7aSAB/readout-protection-cracked-on-stm32"
},
{
"type": "WEB",
"url": "https://www.aisec.fraunhofer.de/en/FirmwareProtection.html"
},
{
"type": "WEB",
"url": "https://www.usenix.org/conference/woot17/workshop-program/presentation/obermaier"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5FP8-JQ6M-7H83
Vulnerability from github – Published: 2026-01-14 03:30 – Updated: 2026-01-14 03:30Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2025-68958"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-14T03:15:50Z",
"severity": "HIGH"
},
"details": "Multi-thread race condition vulnerability in the card framework module.\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-5fp8-jq6m-7h83",
"modified": "2026-01-14T03:30:25Z",
"published": "2026-01-14T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68958"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/1"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/1"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinwearables/2026/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FRW-42JX-47V6
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
media: venus: fix use after free bug in venus_remove due to race condition
in venus_probe, core->work is bound with venus_sys_error_handler, which is used to handle error. The code use core->sys_err_done to make sync work. The core->work is started in venus_event_notify.
If we call venus_remove, there might be an unfished work. The possible sequence is as follows:
CPU0 CPU1
|venus_sys_error_handler
venus_remove | hfi_destroy | venus_hfi_destroy | kfree(hdev); | |hfi_reinit |venus_hfi_queues_reinit |//use hdev
Fix it by canceling the work in venus_remove.
{
"affected": [],
"aliases": [
"CVE-2024-49981"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:18Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: fix use after free bug in venus_remove due to race condition\n\nin venus_probe, core-\u003ework is bound with venus_sys_error_handler, which is\nused to handle error. The code use core-\u003esys_err_done to make sync work.\nThe core-\u003ework is started in venus_event_notify.\n\nIf we call venus_remove, there might be an unfished work. The possible\nsequence is as follows:\n\nCPU0 CPU1\n\n |venus_sys_error_handler\nvenus_remove |\nhfi_destroy\t \t\t |\nvenus_hfi_destroy\t |\nkfree(hdev);\t |\n |hfi_reinit\n\t\t\t\t\t |venus_hfi_queues_reinit\n |//use hdev\n\nFix it by canceling the work in venus_remove.",
"id": "GHSA-5frw-42jx-47v6",
"modified": "2025-11-04T00:31:44Z",
"published": "2024-10-21T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49981"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/10941d4f99a5a34999121b314afcd9c0a1c14f15"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a541fcc0bd2b05a458e9613376df1289ec11621"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5098b9e6377577fe13d03e1d8914930f014a3314"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60b6968341a6dd5353554f3e72db554693a128a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/63bbe26471ebdcc3c20bb4cc3950d666279ad658"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b0686aedc5f1343442d044bd64eeac7e7a391f4e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf6be32e2d39f6301ff1831e249d32a8744ab28a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5a85ed88e043474161bbfe54002c89c1cb50ee2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5G2M-574J-WG7C
Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 allows local users to cause a denial of service (list corruption and panic) via a rapid series of system calls related to sockets, as demonstrated by setsockopt calls.
{
"affected": [],
"aliases": [
"CVE-2015-3212"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-08-31T10:59:00Z",
"severity": "MODERATE"
},
"details": "Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 allows local users to cause a denial of service (list corruption and panic) via a rapid series of system calls related to sockets, as demonstrated by setsockopt calls.",
"id": "GHSA-5g2m-574j-wg7c",
"modified": "2022-05-14T01:11:27Z",
"published": "2022-05-14T01:11:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3212"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/2d45a02d0166caf2627fe91897c6ffc3b19514c4"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1778"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1787"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1788"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2015-3212"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1226442"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K05211147"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2d45a02d0166caf2627fe91897c6ffc3b19514c4"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00049.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00011.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1778.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1787.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3329"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.2"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76082"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1033169"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2713-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2714-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2715-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2716-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2717-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2718-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2719-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5GJG-F3CQ-CMWG
Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-10 00:00There is a Race Condition vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to availability affected.
{
"affected": [],
"aliases": [
"CVE-2021-37069"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T15:15:00Z",
"severity": "HIGH"
},
"details": "There is a Race Condition vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to availability affected.",
"id": "GHSA-5gjg-f3cq-cmwg",
"modified": "2021-12-10T00:00:53Z",
"published": "2021-12-09T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37069"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/11"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5GQC-QHRJ-9XW8
Vulnerability from github – Published: 2026-04-14 23:15 – Updated: 2026-04-24 20:39Summary
A race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive).
Impact
A remote client can trigger a server crash by sending rapid KeepAlive requests while a session is expiring or being closed. This is a denial-of-service vulnerability that crashes the entire data server process.
All versions are affected.
Details
In oxiad/dataserver/controller/lead/session.go, the heartbeat() method performs a blocking s.heartbeatCh <- true send. If the channel buffer is full (size 1), this blocks while holding the session mutex, preventing close() from acquiring the lock to close the channel — a deadlock.
Additionally, in session_manager.go, KeepAlive() releases the session manager's read lock before calling heartbeat(), creating a TOCTOU window where the session can be removed and closed between the lookup and the heartbeat call.
Patches
Fixed by changing heartbeat() to use a non-blocking select with a default case, and by holding the session manager read lock through the entire KeepAlive() operation.
Workarounds
No workaround available.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.16.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/oxia-db/oxia"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.16.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40943"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T23:15:00Z",
"nvd_published_at": "2026-04-21T22:16:19Z",
"severity": "HIGH"
},
"details": "### Summary\nA race condition between session heartbeat processing and session closure can cause the server to panic with `send on closed channel`. The `heartbeat()` method uses a blocking channel send while holding a mutex, and under specific timing with concurrent `close()` calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in `KeepAlive`).\n\n### Impact\nA remote client can trigger a server crash by sending rapid `KeepAlive` requests while a session is expiring or being closed. This is a denial-of-service vulnerability that crashes the entire data server process.\n\nAll versions are affected.\n\n### Details\nIn `oxiad/dataserver/controller/lead/session.go`, the `heartbeat()` method performs a blocking `s.heartbeatCh \u003c- true` send. If the channel buffer is full (size 1), this blocks while holding the session mutex, preventing `close()` from acquiring the lock to close the channel \u2014 a deadlock.\n\nAdditionally, in `session_manager.go`, `KeepAlive()` releases the session manager\u0027s read lock before calling `heartbeat()`, creating a TOCTOU window where the session can be removed and closed between the lookup and the heartbeat call.\n\n### Patches\nFixed by changing `heartbeat()` to use a non-blocking `select` with a `default` case, and by holding the session manager read lock through the entire `KeepAlive()` operation.\n\n### Workarounds\nNo workaround available.",
"id": "GHSA-5gqc-qhrj-9xw8",
"modified": "2026-04-24T20:39:44Z",
"published": "2026-04-14T23:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40943"
},
{
"type": "PACKAGE",
"url": "https://github.com/oxia-db/oxia"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Oxia affected by server crash via race condition in session heartbeat handling"
}
GHSA-5GXQ-G22H-VG26
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-30 21:30In the Linux kernel, the following vulnerability has been resolved:
riscv: fix race when vmap stack overflow
Currently, when detecting vmap stack overflow, riscv firstly switches to the so called shadow stack, then use this shadow stack to call the get_overflow_stack() to get the overflow stack. However, there's a race here if two or more harts use the same shadow stack at the same time.
To solve this race, we introduce spin_shadow_stack atomic var, which will be swap between its own address and 0 in atomic way, when the var is set, it means the shadow_stack is being used; when the var is cleared, it means the shadow_stack isn't being used.
[Palmer: Add AQ to the swap, and also some comments.]
{
"affected": [],
"aliases": [
"CVE-2022-49001"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix race when vmap stack overflow\n\nCurrently, when detecting vmap stack overflow, riscv firstly switches\nto the so called shadow stack, then use this shadow stack to call the\nget_overflow_stack() to get the overflow stack. However, there\u0027s\na race here if two or more harts use the same shadow stack at the same\ntime.\n\nTo solve this race, we introduce spin_shadow_stack atomic var, which\nwill be swap between its own address and 0 in atomic way, when the\nvar is set, it means the shadow_stack is being used; when the var\nis cleared, it means the shadow_stack isn\u0027t being used.\n\n[Palmer: Add AQ to the swap, and also some comments.]",
"id": "GHSA-5gxq-g22h-vg26",
"modified": "2024-10-30T21:30:38Z",
"published": "2024-10-21T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49001"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e1864332fbc1b993659eab7974da9fe8bf8c128"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/879fabc5a95401d9bce357e4b1d24ae4a360a81f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac00301adb19df54f2eae1efc4bad7447c0156ce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GXQ-J292-75CC
Vulnerability from github – Published: 2024-03-11 18:31 – Updated: 2024-12-12 18:30In the Linux kernel, the following vulnerability has been resolved:
fs/proc/task_mmu: move mmu notification mechanism inside mm lock
Move mmu notification mechanism inside mm lock to prevent race condition in other components which depend on it. The notifier will invalidate memory range. Depending upon the number of iterations, different memory ranges would be invalidated.
The following warning would be removed by this patch: WARNING: CPU: 0 PID: 5067 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:734 kvm_mmu_notifier_change_pte+0x860/0x960 arch/x86/kvm/../../../virt/kvm/kvm_main.c:734
There is no behavioural and performance change with this patch when there is no component registered with the mmu notifier.
[akpm@linux-foundation.org: narrow the scope of `range', per Sean]
{
"affected": [],
"aliases": [
"CVE-2024-26617"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-11T18:15:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc/task_mmu: move mmu notification mechanism inside mm lock\n\nMove mmu notification mechanism inside mm lock to prevent race condition\nin other components which depend on it. The notifier will invalidate\nmemory range. Depending upon the number of iterations, different memory\nranges would be invalidated.\n\nThe following warning would be removed by this patch:\nWARNING: CPU: 0 PID: 5067 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:734 kvm_mmu_notifier_change_pte+0x860/0x960 arch/x86/kvm/../../../virt/kvm/kvm_main.c:734\n\nThere is no behavioural and performance change with this patch when\nthere is no component registered with the mmu notifier.\n\n[akpm@linux-foundation.org: narrow the scope of `range\u0027, per Sean]",
"id": "GHSA-5gxq-j292-75cc",
"modified": "2024-12-12T18:30:50Z",
"published": "2024-03-11T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26617"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/05509adf297924f51e1493aa86f9fcde1433ed80"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4cccb6221cae6d020270606b9e52b1678fc8b71a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5H3H-5652-8XP5
Vulnerability from github – Published: 2024-03-18 12:30 – Updated: 2025-03-10 15:30In the Linux kernel, the following vulnerability has been resolved:
binder: fix race between mmput() and do_exit()
Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A.
Task A | Task B ------------------+------------------ mmget_not_zero() | | do_exit() | exit_mm() | mmput() mmput() | exit_mmap() | remove_vma() | fput() |
In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead).
This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then.
In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A.
{
"affected": [],
"aliases": [
"CVE-2023-52609"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T11:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix race between mmput() and do_exit()\n\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\n\n Task A | Task B\n ------------------+------------------\n mmget_not_zero() |\n | do_exit()\n | exit_mm()\n | mmput()\n mmput() |\n exit_mmap() |\n remove_vma() |\n fput() |\n\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it\u0027s dead).\n\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\n\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm-\u003easync_put_work WQ instead of Task A.",
"id": "GHSA-5h3h-5652-8xp5",
"modified": "2025-03-10T15:30:45Z",
"published": "2024-03-18T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52609"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.