CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2899 vulnerabilities reference this CWE, most recent first.
GHSA-WR2J-Q648-W99G
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2024-02-15 18:30An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
{
"affected": [],
"aliases": [
"CVE-2020-29368"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-28T07:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.",
"id": "GHSA-wr2j-q648-w99g",
"modified": "2024-02-15T18:30:39Z",
"published": "2022-05-24T17:35:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29368"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2045"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c444eb564fb16645c172d550359cb3d75fe8a040"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210108-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WR76-XWC9-Q8VX
Vulnerability from github – Published: 2026-01-14 03:30 – Updated: 2026-01-14 03:30Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2025-68961"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-14T03:15:50Z",
"severity": "MODERATE"
},
"details": "Multi-thread race condition vulnerability in the camera framework module.\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-wr76-xwc9-q8vx",
"modified": "2026-01-14T03:30:25Z",
"published": "2026-01-14T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68961"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/1"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WRCV-2HQ2-RHWC
Vulnerability from github – Published: 2025-08-11 06:30 – Updated: 2025-08-11 06:30in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through race condition.
{
"affected": [],
"aliases": [
"CVE-2025-25278"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-11T04:15:34Z",
"severity": "HIGH"
},
"details": "in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through race condition.",
"id": "GHSA-wrcv-2hq2-rhwc",
"modified": "2025-08-11T06:30:30Z",
"published": "2025-08-11T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25278"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-08.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WRG5-4633-4GG8
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.
{
"affected": [],
"aliases": [
"CVE-2017-16857"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-05T16:29:00Z",
"severity": "HIGH"
},
"details": "It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.",
"id": "GHSA-wrg5-4633-4gg8",
"modified": "2022-05-13T01:44:13Z",
"published": "2022-05-13T01:44:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16857"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/BSERV-10439"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WRJW-5QVP-GQCG
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a race condition that can cause a stack-based buffer overflow or an out-of-bounds read.
{
"affected": [],
"aliases": [
"CVE-2018-20315"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-07T18:15:00Z",
"severity": "HIGH"
},
"details": "Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a race condition that can cause a stack-based buffer overflow or an out-of-bounds read.",
"id": "GHSA-wrjw-5qvp-gqcg",
"modified": "2022-05-24T17:38:10Z",
"published": "2022-05-24T17:38:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20315"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WV4P-JP67-JR97
Vulnerability from github – Published: 2021-08-25 20:50 – Updated: 2023-06-13 18:44Affected versions of this crate unconditionally implemented Sync and Send traits for MPMCConsumer and MPMCProducer types. This allows users to send types that do not implement Send trait across thread boundaries, which can cause a data race. The flaw was corrected in the 2.0.1 release by adding T: Send bound to affected Sync/Send trait implementations.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "magnetic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35925"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T18:56:44Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected versions of this crate unconditionally implemented Sync and Send traits for MPMCConsumer and MPMCProducer types. This allows users to send types that do not implement Send trait across thread boundaries, which can cause a data race. The flaw was corrected in the 2.0.1 release by adding T: Send bound to affected Sync/Send trait implementations.",
"id": "GHSA-wv4p-jp67-jr97",
"modified": "2023-06-13T18:44:57Z",
"published": "2021-08-25T20:50:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35925"
},
{
"type": "WEB",
"url": "https://github.com/johnshaw/magnetic/issues/9"
},
{
"type": "PACKAGE",
"url": "https://github.com/johnshaw/magnetic"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0088.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Data races in magnetic"
}
GHSA-WV63-PCG9-3X4Q
Vulnerability from github – Published: 2022-05-14 00:58 – Updated: 2024-03-21 03:33** DISPUTED ** The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported.
{
"affected": [],
"aliases": [
"CVE-2019-11191"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-12T00:29:00Z",
"severity": "LOW"
},
"details": "** DISPUTED ** The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported.",
"id": "GHSA-wv63-pcg9-3x4q",
"modified": "2024-03-21T03:33:34Z",
"published": "2022-05-14T00:58:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11191"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4006-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4006-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4007-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4007-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4008-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4008-3"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2019/04/03/4"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2019/04/03/4/1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/04/18/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/05/22/7"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107887"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WV76-PJMF-RXJC
Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2025-10-22 18:30In the Linux kernel, the following vulnerability has been resolved:
zsmalloc: fix races between asynchronous zspage free and page migration
The asynchronous zspage free worker tries to lock a zspage's entire page list without defending against page migration. Since pages which haven't yet been locked can concurrently migrate off the zspage page list while lock_zspage() churns away, lock_zspage() can suffer from a few different lethal races.
It can lock a page which no longer belongs to the zspage and unsafely dereference page_private(), it can unsafely dereference a torn pointer to the next page (since there's a data race), and it can observe a spurious NULL pointer to the next page and thus not lock all of the zspage's pages (since a single page migration will reconstruct the entire page list, and create_page_chain() unconditionally zeroes out each list pointer in the process).
Fix the races by using migrate_read_lock() in lock_zspage() to synchronize with page migration.
{
"affected": [],
"aliases": [
"CVE-2022-49554"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nzsmalloc: fix races between asynchronous zspage free and page migration\n\nThe asynchronous zspage free worker tries to lock a zspage\u0027s entire page\nlist without defending against page migration. Since pages which haven\u0027t\nyet been locked can concurrently migrate off the zspage page list while\nlock_zspage() churns away, lock_zspage() can suffer from a few different\nlethal races.\n\nIt can lock a page which no longer belongs to the zspage and unsafely\ndereference page_private(), it can unsafely dereference a torn pointer to\nthe next page (since there\u0027s a data race), and it can observe a spurious\nNULL pointer to the next page and thus not lock all of the zspage\u0027s pages\n(since a single page migration will reconstruct the entire page list, and\ncreate_page_chain() unconditionally zeroes out each list pointer in the\nprocess).\n\nFix the races by using migrate_read_lock() in lock_zspage() to synchronize\nwith page migration.",
"id": "GHSA-wv76-pjmf-rxjc",
"modified": "2025-10-22T18:30:32Z",
"published": "2025-10-22T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49554"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVPJ-27HH-G2M4
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-59507"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T18:15:36Z",
"severity": "HIGH"
},
"details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows Speech allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-wvpj-27hh-g2m4",
"modified": "2025-11-11T18:30:20Z",
"published": "2025-11-11T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59507"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59507"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVR5-3FWJ-8F26
Vulnerability from github – Published: 2022-05-14 03:00 – Updated: 2025-04-20 03:46Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.
{
"affected": [],
"aliases": [
"CVE-2017-15038"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-10T01:30:00Z",
"severity": "MODERATE"
},
"details": "Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.",
"id": "GHSA-wvr5-3fwj-8f26",
"modified": "2025-04-20T03:46:27Z",
"published": "2022-05-14T03:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15038"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3575-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4213"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/10/06/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.