CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2907 vulnerabilities reference this CWE, most recent first.
GHSA-QFG2-8GF5-3XFC
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-20 19:00A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-3566"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.",
"id": "GHSA-qfg2-8gf5-3xfc",
"modified": "2022-10-20T19:00:36Z",
"published": "2022-10-18T12:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3566"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.211089"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QFVJ-MCF4-FGPG
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-24 18:32In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path
icmp_route_lookup() performs multiple route lookups to find a suitable route for sending ICMP error messages, with special handling for XFRM (IPsec) policies.
The lookup sequence is: 1. First, lookup output route for ICMP reply (dst = original src) 2. Pass through xfrm_lookup() for policy check 3. If blocked (-EPERM) or dst is not local, enter "reverse path" 4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec which reverses the original packet's flow (saddr<->daddr swapped) 5. If fl4_dec.saddr is local (we are the original destination), use __ip_route_output_key() for output route lookup 6. If fl4_dec.saddr is NOT local (we are a forwarding node), use ip_route_input() to simulate the reverse packet's input path 7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag
The bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr (original packet's source) as destination. If this address becomes local between the initial check and ip_route_input() call (e.g., due to concurrent "ip addr add"), ip_route_input() returns a LOCAL route with dst.output set to ip_rt_bug.
This route is then used for ICMP output, causing dst_output() to call ip_rt_bug(), triggering a WARN_ON:
------------[ cut here ]------------ WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1 Call Trace: ip_push_pending_frames+0x202/0x240 icmp_push_reply+0x30d/0x430 __icmp_send+0x1149/0x24f0 ip_options_compile+0xa2/0xd0 ip_rcv_finish_core+0x829/0x1950 ip_rcv+0x2d7/0x420 __netif_receive_skb_one_core+0x185/0x1f0 netif_receive_skb+0x90/0x450 tun_get_user+0x3413/0x3fb0 tun_chr_write_iter+0xe4/0x220 ...
Fix this by checking rt2->rt_type after ip_route_input(). If it's RTN_LOCAL, the route cannot be used for output, so treat it as an error.
The reproducer requires kernel modification to widen the race window, making it unsuitable as a selftest. It is available at:
https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81
{
"affected": [],
"aliases": [
"CVE-2026-45905"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix ip_rt_bug race in icmp_route_lookup reverse path\n\nicmp_route_lookup() performs multiple route lookups to find a suitable\nroute for sending ICMP error messages, with special handling for XFRM\n(IPsec) policies.\n\nThe lookup sequence is:\n1. First, lookup output route for ICMP reply (dst = original src)\n2. Pass through xfrm_lookup() for policy check\n3. If blocked (-EPERM) or dst is not local, enter \"reverse path\"\n4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec\n which reverses the original packet\u0027s flow (saddr\u003c-\u003edaddr swapped)\n5. If fl4_dec.saddr is local (we are the original destination), use\n __ip_route_output_key() for output route lookup\n6. If fl4_dec.saddr is NOT local (we are a forwarding node), use\n ip_route_input() to simulate the reverse packet\u0027s input path\n7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag\n\nThe bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr\n(original packet\u0027s source) as destination. If this address becomes local\nbetween the initial check and ip_route_input() call (e.g., due to\nconcurrent \"ip addr add\"), ip_route_input() returns a LOCAL route with\ndst.output set to ip_rt_bug.\n\nThis route is then used for ICMP output, causing dst_output() to call\nip_rt_bug(), triggering a WARN_ON:\n\n ------------[ cut here ]------------\n WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1\n Call Trace:\n \u003cTASK\u003e\n ip_push_pending_frames+0x202/0x240\n icmp_push_reply+0x30d/0x430\n __icmp_send+0x1149/0x24f0\n ip_options_compile+0xa2/0xd0\n ip_rcv_finish_core+0x829/0x1950\n ip_rcv+0x2d7/0x420\n __netif_receive_skb_one_core+0x185/0x1f0\n netif_receive_skb+0x90/0x450\n tun_get_user+0x3413/0x3fb0\n tun_chr_write_iter+0xe4/0x220\n ...\n\nFix this by checking rt2-\u003ert_type after ip_route_input(). If it\u0027s\nRTN_LOCAL, the route cannot be used for output, so treat it as an error.\n\nThe reproducer requires kernel modification to widen the race window,\nmaking it unsuitable as a selftest. It is available at:\n\n https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81",
"id": "GHSA-qfvj-mcf4-fgpg",
"modified": "2026-06-24T18:32:27Z",
"published": "2026-05-27T15:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45905"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QFXH-8PC6-GX8M
Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-20869"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T18:16:16Z",
"severity": "HIGH"
},
"details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-qfxh-8pc6-gx8m",
"modified": "2026-01-13T18:31:09Z",
"published": "2026-01-13T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20869"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20869"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QG5W-XH4J-9WWQ
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02A race condition in navigation in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2017-5061"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-27T05:29:00Z",
"severity": "MODERATE"
},
"details": "A race condition in navigation in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.",
"id": "GHSA-qg5w-xh4j-9wwq",
"modified": "2022-05-13T01:02:41Z",
"published": "2022-05-13T01:02:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5061"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1124"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/672847"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201705-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97939"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038317"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QG98-9H5G-6P53
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28In CamX code, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges required. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-123999783
{
"affected": [],
"aliases": [
"CVE-2020-0428"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-17T19:15:00Z",
"severity": "MODERATE"
},
"details": "In CamX code, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges required. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-123999783",
"id": "GHSA-qg98-9h5g-6p53",
"modified": "2022-05-24T17:28:50Z",
"published": "2022-05-24T17:28:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0428"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2020-09-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QGF6-M828-GPV5
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-12 21:31In the Linux kernel, the following vulnerability has been resolved:
rpmsg: core: fix race in driver_override_show() and use core helper
The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free.
To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now.
Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race.
Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code.
{
"affected": [],
"aliases": [
"CVE-2025-71274"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: core: fix race in driver_override_show() and use core helper\n\nThe driver_override_show function reads the driver_override string\nwithout holding the device_lock. However, the store function modifies\nand frees the string while holding the device_lock. This creates a race\ncondition where the string can be freed by the store function while\nbeing read by the show function, leading to a use-after-free.\n\nTo fix this, replace the rpmsg_string_attr macro with explicit show and\nstore functions. The new driver_override_store uses the standard\ndriver_set_override helper. Since the introduction of\ndriver_set_override, the comments in include/linux/rpmsg.h have stated\nthat this helper must be used to set or clear driver_override, but the\nimplementation was not updated until now.\n\nBecause driver_set_override modifies and frees the string while holding\nthe device_lock, the new driver_override_show now correctly holds the\ndevice_lock during the read operation to prevent the race.\n\nAdditionally, since rpmsg_string_attr has only ever been used for\ndriver_override, removing the macro simplifies the code.",
"id": "GHSA-qgf6-m828-gpv5",
"modified": "2026-05-12T21:31:26Z",
"published": "2026-05-06T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71274"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e4a70f3c30910427e5ea848b799066d67b963d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/392c6b68334aa0e0ae9aba95c0a366bcb0d92f5d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/42023d4b6d2661a40ee2dcf7e1a3528a35c638ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47615557447185917afa432b7958f87583c417cb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7654e6e3cd6bdee9602f6063b3c670bd556d7e61"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90c8353f471821d7ccd4fe573a2402e056192494"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/954557957177c3c13d7c655976665b1170da5e50"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d66b8074c555e8abb0ae19eea1c9f3635498bdde"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QGP4-5XQG-PC3P
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.
{
"affected": [],
"aliases": [
"CVE-2018-17972"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-03T22:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.",
"id": "GHSA-qgp4-5xqg-pc3p",
"modified": "2022-05-13T01:14:42Z",
"published": "2022-05-13T01:14:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17972"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3880-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3880-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3871-5"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3871-4"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3871-3"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3871-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3835-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3832-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3821-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3821-1"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K27673650?utm_source=f5support\u0026amp;utm_medium=RSS"
},
{
"type": "WEB",
"url": "https://marc.info/?l=linux-fsdevel\u0026m=153806242024956\u0026w=2"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2473"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0831"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0514"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0512"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00043.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105525"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QGQ3-M3FR-7C5X
Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-10 21:31In the Linux kernel, the following vulnerability has been resolved:
tcp: Fix data-races around sysctl_tcp_min_snd_mss.
While reading sysctl_tcp_min_snd_mss, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers.
{
"affected": [],
"aliases": [
"CVE-2022-49596"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_min_snd_mss.\n\nWhile reading sysctl_tcp_min_snd_mss, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.",
"id": "GHSA-qgq3-m3fr-7c5x",
"modified": "2025-03-10T21:31:11Z",
"published": "2025-03-10T21:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49596"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d8a39feb58910a7f7746b1770ee5578cc551fe6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0fc9357282df055e30990b29f4b7afa53ab42cdb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78eb166cdefcc3221c8c7c1e2d514e91a2eb5014"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97992e8feff33b3ae154a113ec398546bbacda80"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fdb96b69f5909ffcdd6f1e0902219fc6d7689ff7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QGRJ-P6F4-PXJ8
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-49127"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:04:39Z",
"severity": "HIGH"
},
"details": "Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability",
"id": "GHSA-qgrj-p6f4-pxj8",
"modified": "2024-12-12T03:33:05Z",
"published": "2024-12-12T03:33:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49127"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QGV6-745C-PW4V
Vulnerability from github – Published: 2022-05-17 01:58 – Updated: 2022-05-17 01:58In all Qualcomm products with Android releases from CAF using the Linux kernel, there is a TOCTOU race condition in Secure UI.
{
"affected": [],
"aliases": [
"CVE-2016-10383"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-18T18:29:00Z",
"severity": "HIGH"
},
"details": "In all Qualcomm products with Android releases from CAF using the Linux kernel, there is a TOCTOU race condition in Secure UI.",
"id": "GHSA-qgv6-745c-pw4v",
"modified": "2022-05-17T01:58:24Z",
"published": "2022-05-17T01:58:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10383"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-07-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99467"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.