CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2909 vulnerabilities reference this CWE, most recent first.
GHSA-Q29R-XR2F-G7J5
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2022-05-13 01:09In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
{
"affected": [],
"aliases": [
"CVE-2019-0217"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-08T21:29:00Z",
"severity": "HIGH"
},
"details": "In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.",
"id": "GHSA-q29r-xr2f-g7j5",
"modified": "2022-05-13T01:09:38Z",
"published": "2022-05-13T01:09:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0217"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2343"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Apr/5"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190423-0001"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03950en_us"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3937-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3937-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4422"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3436"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3932"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3933"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3935"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4126"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695020"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/e0b8f6e858b1c8ec2ce8e291a2c543d438915037c7af661ab6d33808@%3Cdev.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/04/02/5"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107668"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q2GJ-9R85-P832
Vulnerability from github – Published: 2021-08-25 20:48 – Updated: 2023-06-13 20:47The affected version of rulinalg has incorrect lifetime boundary definitions for RowMut::raw_slice and RowMut::raw_slice_mut. They do not conform with Rust's borrowing rule and allows the user to create multiple mutable references to the same location. This may result in unexpected calculation result and data race if both references are used at the same time.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rulinalg"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"last_affected": "0.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35879"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:06:56Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The affected version of rulinalg has incorrect lifetime boundary definitions for RowMut::raw_slice and RowMut::raw_slice_mut. They do not conform with Rust\u0027s borrowing rule and allows the user to create multiple mutable references to the same location. This may result in unexpected calculation result and data race if both references are used at the same time.",
"id": "GHSA-q2gj-9r85-p832",
"modified": "2023-06-13T20:47:12Z",
"published": "2021-08-25T20:48:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35879"
},
{
"type": "WEB",
"url": "https://github.com/AtheMathmo/rulinalg/issues/201"
},
{
"type": "PACKAGE",
"url": "https://github.com/AtheMathmo/rulinalg"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0023.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Data races in rulinalg"
}
GHSA-Q2GV-W495-JMXW
Vulnerability from github – Published: 2022-05-17 03:31 – Updated: 2022-05-17 03:31Multiple race conditions in dom/media/systemservices/CamerasChild.cpp in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
{
"affected": [],
"aliases": [
"CVE-2016-1975"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-03-13T18:59:00Z",
"severity": "MODERATE"
},
"details": "Multiple race conditions in dom/media/systemservices/CamerasChild.cpp in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.",
"id": "GHSA-q2gv-w495-jmxw",
"modified": "2022-05-17T03:31:20Z",
"published": "2022-05-17T03:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1975"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1230768"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201605-06"
},
{
"type": "WEB",
"url": "http://hg.mozilla.org/releases/mozilla-release/rev/bafc86c12e63"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2016/mfsa2016-32.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/84220"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1035215"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q2VP-HGH9-QP96
Vulnerability from github – Published: 2023-01-21 03:30 – Updated: 2023-01-30 18:30A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request. A handler thread can use an overwritten context->FileName.
{
"affected": [],
"aliases": [
"CVE-2023-24042"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-21T02:15:00Z",
"severity": "HIGH"
},
"details": "A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request. A handler thread can use an overwritten context-\u003eFileName.",
"id": "GHSA-q2vp-hgh9-qp96",
"modified": "2023-01-30T18:30:29Z",
"published": "2023-01-21T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24042"
},
{
"type": "WEB",
"url": "https://github.com/hfiref0x/LightFTP/issues/25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q32W-2QJP-8M8Q
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-20 18:31In the Linux kernel, the following vulnerability has been resolved:
tracing/synthetic: Fix races on freeing last_cmd
Currently, the "last_cmd" variable can be accessed by multiple processes asynchronously when multiple users manipulate synthetic_events node at the same time, it could lead to use-after-free or double-free.
This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed asynchronously.
================================================================
It's easy to reproduce in the KASAN environment by running the two scripts below in different shells.
script 1: while : do echo -n -e '\x88' > /sys/kernel/tracing/synthetic_events done
script 2: while : do echo -n -e '\xb0' > /sys/kernel/tracing/synthetic_events done
================================================================ double-free scenario:
process A process B
------------------- --------------- 1.kstrdup last_cmd 2.free last_cmd 3.free last_cmd(double-free)
================================================================ use-after-free scenario:
process A process B
------------------- --------------- 1.kstrdup last_cmd 2.free last_cmd 3.tracing_log_err(use-after-free)
================================================================
Appendix 1. KASAN report double-free:
BUG: KASAN: double-free in kfree+0xdc/0x1d4 Free of addr * by task sh/4879 Call trace: ... kfree+0xdc/0x1d4 create_or_delete_synth_event+0x60/0x1e8 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...
Allocated by task 4879: ... kstrdup+0x5c/0x98 create_or_delete_synth_event+0x6c/0x1e8 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...
Freed by task 5464: ... kfree+0xdc/0x1d4 create_or_delete_synth_event+0x60/0x1e8 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...
================================================================ Appendix 2. KASAN report use-after-free:
BUG: KASAN: use-after-free in strlen+0x5c/0x7c Read of size 1 at addr * by task sh/5483 sh: CPU: 7 PID: 5483 Comm: sh ... __asan_report_load1_noabort+0x34/0x44 strlen+0x5c/0x7c tracing_log_err+0x60/0x444 create_or_delete_synth_event+0xc4/0x204 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...
Allocated by task 5483: ... kstrdup+0x5c/0x98 create_or_delete_synth_event+0x80/0x204 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...
Freed by task 5480: ... kfree+0xdc/0x1d4 create_or_delete_synth_event+0x74/0x204 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...
{
"affected": [],
"aliases": [
"CVE-2023-53478"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/synthetic: Fix races on freeing last_cmd\n\nCurrently, the \"last_cmd\" variable can be accessed by multiple processes\nasynchronously when multiple users manipulate synthetic_events node\nat the same time, it could lead to use-after-free or double-free.\n\nThis patch add \"lastcmd_mutex\" to prevent \"last_cmd\" from being accessed\nasynchronously.\n\n================================================================\n\nIt\u0027s easy to reproduce in the KASAN environment by running the two\nscripts below in different shells.\n\nscript 1:\n while :\n do\n echo -n -e \u0027\\x88\u0027 \u003e /sys/kernel/tracing/synthetic_events\n done\n\nscript 2:\n while :\n do\n echo -n -e \u0027\\xb0\u0027 \u003e /sys/kernel/tracing/synthetic_events\n done\n\n================================================================\ndouble-free scenario:\n\n process A process B\n------------------- ---------------\n1.kstrdup last_cmd\n 2.free last_cmd\n3.free last_cmd(double-free)\n\n================================================================\nuse-after-free scenario:\n\n process A process B\n------------------- ---------------\n1.kstrdup last_cmd\n 2.free last_cmd\n3.tracing_log_err(use-after-free)\n\n================================================================\n\nAppendix 1. KASAN report double-free:\n\nBUG: KASAN: double-free in kfree+0xdc/0x1d4\nFree of addr ***** by task sh/4879\nCall trace:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x60/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nAllocated by task 4879:\n ...\n kstrdup+0x5c/0x98\n create_or_delete_synth_event+0x6c/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nFreed by task 5464:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x60/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\n================================================================\nAppendix 2. KASAN report use-after-free:\n\nBUG: KASAN: use-after-free in strlen+0x5c/0x7c\nRead of size 1 at addr ***** by task sh/5483\nsh: CPU: 7 PID: 5483 Comm: sh\n ...\n __asan_report_load1_noabort+0x34/0x44\n strlen+0x5c/0x7c\n tracing_log_err+0x60/0x444\n create_or_delete_synth_event+0xc4/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nAllocated by task 5483:\n ...\n kstrdup+0x5c/0x98\n create_or_delete_synth_event+0x80/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nFreed by task 5480:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x74/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...",
"id": "GHSA-q32w-2qjp-8m8q",
"modified": "2026-01-20T18:31:52Z",
"published": "2025-10-01T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53478"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ccf11c4e8a8e051499d53a12f502196c97a758e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8826d9e7bd51e7656f78baa4472e8e2f5e7069f0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9fe183f659a2704255e5d84f6ae308c234a113ec"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q35M-CWFX-J6JX
Vulnerability from github – Published: 2025-12-16 15:30 – Updated: 2026-02-26 18:31In the Linux kernel, the following vulnerability has been resolved:
timers: Fix NULL function pointer race in timer_shutdown_sync()
There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers().
The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this:
CPU0 CPU1 lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base()
The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers().
Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running.
{
"affected": [],
"aliases": [
"CVE-2025-68214"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T14:15:54Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers: Fix NULL function pointer race in timer_shutdown_sync()\n\nThere is a race condition between timer_shutdown_sync() and timer\nexpiration that can lead to hitting a WARN_ON in expire_timers().\n\nThe issue occurs when timer_shutdown_sync() clears the timer function\nto NULL while the timer is still running on another CPU. The race\nscenario looks like this:\n\nCPU0\t\t\t\t\tCPU1\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tbase-\u003erunning_timer = timer;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t[call_timer_fn enter]\n\t\t\t\t\tmod_timer()\n\t\t\t\t\t...\ntimer_shutdown_sync()\nlock_timer_base()\n// For now, will not detach the timer but only clear its function to NULL\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\t\t\t\t\t[call_timer_fn exit]\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\tbase-\u003erunning_timer = NULL;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t...\n\t\t\t\t\t// Now timer is pending while its function set to NULL.\n\t\t\t\t\t// next timer trigger\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tWARN_ON_ONCE(!fn) // hit\n\t\t\t\t\t...\nlock_timer_base()\n// Now timer will detach\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\nThe problem is that timer_shutdown_sync() clears the timer function\nregardless of whether the timer is currently running. This can leave a\npending timer with a NULL function pointer, which triggers the\nWARN_ON_ONCE(!fn) check in expire_timers().\n\nFix this by only clearing the timer function when actually detaching the\ntimer. If the timer is running, leave the function pointer intact, which is\nsafe because the timer will be properly detached when it finishes running.",
"id": "GHSA-q35m-cwfx-j6jx",
"modified": "2026-02-26T18:31:34Z",
"published": "2025-12-16T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68214"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba43ac025c4318241f8edf94f31d2eebab86991b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q3F9-G8Q7-FRJ2
Vulnerability from github – Published: 2022-05-14 03:10 – Updated: 2022-05-14 03:10Due to a race condition in the QTEECOM driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, when more than one HLOS client loads the same TA, a Use After Free condition can occur.
{
"affected": [],
"aliases": [
"CVE-2018-5849"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-12T20:29:00Z",
"severity": "HIGH"
},
"details": "Due to a race condition in the QTEECOM driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, when more than one HLOS client loads the same TA, a Use After Free condition can occur.",
"id": "GHSA-q3f9-g8q7-frj2",
"modified": "2022-05-14T03:10:26Z",
"published": "2022-05-14T03:10:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5849"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2018-05-01"
},
{
"type": "WEB",
"url": "https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q3FF-M98V-RJ6M
Vulnerability from github – Published: 2022-05-01 18:44 – Updated: 2022-05-01 18:44Race condition in fileserver in OpenAFS 1.3.50 through 1.4.5 and 1.5.0 through 1.5.27 allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock.
{
"affected": [],
"aliases": [
"CVE-2007-6599"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-01-04T02:46:00Z",
"severity": "MODERATE"
},
"details": "Race condition in fileserver in OpenAFS 1.3.50 through 1.4.5 and 1.5.0 through 1.5.27 allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock.",
"id": "GHSA-q3ff-m98v-rj6m",
"modified": "2022-05-01T18:44:34Z",
"published": "2022-05-01T18:44:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6599"
},
{
"type": "WEB",
"url": "http://lists.openafs.org/pipermail/openafs-announce/2007/000220.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28327"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28401"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28433"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28636"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200801-04.xml"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1458"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:207"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/suse_security_summary_report.html"
},
{
"type": "WEB",
"url": "http://www.openafs.org/security/OPENAFS-SA-2007-003.txt"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27132"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/0046"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q3FR-W6RP-RJ7G
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Use after free in Windows NTFS allows an unauthorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-55335"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:46Z",
"severity": "HIGH"
},
"details": "Use after free in Windows NTFS allows an unauthorized attacker to elevate privileges locally.",
"id": "GHSA-q3fr-w6rp-rj7g",
"modified": "2025-10-14T18:30:30Z",
"published": "2025-10-14T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55335"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55335"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q3G2-22XW-GVF8
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32A race condition was addressed with improved state handling. This issue is fixed in macOS Catalina 10.15.5. An application may be able to execute arbitrary code with kernel privileges.
{
"affected": [],
"aliases": [
"CVE-2020-9796"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-22T18:15:00Z",
"severity": "HIGH"
},
"details": "A race condition was addressed with improved state handling. This issue is fixed in macOS Catalina 10.15.5. An application may be able to execute arbitrary code with kernel privileges.",
"id": "GHSA-q3g2-22xw-gvf8",
"modified": "2022-05-24T17:32:03Z",
"published": "2022-05-24T17:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9796"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211170"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.