CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2903 vulnerabilities reference this CWE, most recent first.
GHSA-4X5X-V34X-MQXM
Vulnerability from github – Published: 2025-05-24 03:30 – Updated: 2025-05-24 03:30In the anode crate 0.1.0 for Rust, data races can occur in unlock in SpinLock.
{
"affected": [],
"aliases": [
"CVE-2025-48753"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-24T03:15:23Z",
"severity": "LOW"
},
"details": "In the anode crate 0.1.0 for Rust, data races can occur in unlock in SpinLock.",
"id": "GHSA-4x5x-v34x-mqxm",
"modified": "2025-05-24T03:30:19Z",
"published": "2025-05-24T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48753"
},
{
"type": "WEB",
"url": "https://github.com/obsidiandynamics/anode/issues/1"
},
{
"type": "WEB",
"url": "https://crates.io/crates/anode"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4X89-4XJG-WJV4
Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2025-04-12 13:07Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.
{
"affected": [],
"aliases": [
"CVE-2016-9794"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-28T07:59:00Z",
"severity": "HIGH"
},
"details": "Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.",
"id": "GHSA-4x89-4xjg-wjv4",
"modified": "2025-04-12T13:07:48Z",
"published": "2022-05-14T03:54:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9794"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1401494"
},
{
"type": "WEB",
"url": "https://patchwork.kernel.org/patch/8752621"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-05-01"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00057.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00062.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00072.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00075.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00081.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00088.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00091.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2574.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/03/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4X9F-4X9P-28W2
Vulnerability from github – Published: 2025-07-28 12:30 – Updated: 2025-11-19 18:31In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix race between cache write completion and ALL_QUEUED being set
When netfslib is issuing subrequests, the subrequests start processing immediately and may complete before we reach the end of the issuing function. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED to indicate to the collector that we aren't going to issue any more subreqs and that it can do the final notifications and cleanup.
Now, this isn't a problem if the request is synchronous (NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be done in-thread and we're guaranteed an opportunity to run the collector.
However, if the request is asynchronous, collection is primarily triggered by the termination of subrequests queuing it on a workqueue. Now, a race can occur here if the app thread sets ALL_QUEUED after the last subrequest terminates.
This can happen most easily with the copy2cache code (as used by Ceph) where, in the collection routine of a read request, an asynchronous write request is spawned to copy data to the cache. Folios are added to the write request as they're unlocked, but there may be a delay before ALL_QUEUED is set as the write subrequests may complete before we get there.
If all the write subreqs have finished by the ALL_QUEUED point, no further events happen and the collection never happens, leaving the request hanging.
Fix this by queuing the collector after setting ALL_QUEUED. This is a bit heavy-handed and it may be sufficient to do it only if there are no extant subreqs.
Also add a tracepoint to cross-reference both requests in a copy-to-request operation and add a trace to the netfs_rreq tracepoint to indicate the setting of ALL_QUEUED.
{
"affected": [],
"aliases": [
"CVE-2025-38492"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T12:15:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix race between cache write completion and ALL_QUEUED being set\n\nWhen netfslib is issuing subrequests, the subrequests start processing\nimmediately and may complete before we reach the end of the issuing\nfunction. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED\nto indicate to the collector that we aren\u0027t going to issue any more subreqs\nand that it can do the final notifications and cleanup.\n\nNow, this isn\u0027t a problem if the request is synchronous\n(NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be\ndone in-thread and we\u0027re guaranteed an opportunity to run the collector.\n\nHowever, if the request is asynchronous, collection is primarily triggered\nby the termination of subrequests queuing it on a workqueue. Now, a race\ncan occur here if the app thread sets ALL_QUEUED after the last subrequest\nterminates.\n\nThis can happen most easily with the copy2cache code (as used by Ceph)\nwhere, in the collection routine of a read request, an asynchronous write\nrequest is spawned to copy data to the cache. Folios are added to the\nwrite request as they\u0027re unlocked, but there may be a delay before\nALL_QUEUED is set as the write subrequests may complete before we get\nthere.\n\nIf all the write subreqs have finished by the ALL_QUEUED point, no further\nevents happen and the collection never happens, leaving the request\nhanging.\n\nFix this by queuing the collector after setting ALL_QUEUED. This is a bit\nheavy-handed and it may be sufficient to do it only if there are no extant\nsubreqs.\n\nAlso add a tracepoint to cross-reference both requests in a copy-to-request\noperation and add a trace to the netfs_rreq tracepoint to indicate the\nsetting of ALL_QUEUED.",
"id": "GHSA-4x9f-4x9p-28w2",
"modified": "2025-11-19T18:31:17Z",
"published": "2025-07-28T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38492"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/110188a13c4853bd4c342e600ced4dfd26c3feb5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89635eae076cd8eaa5cb752f66538c9dc6c9fdc3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4XC2-JWRR-PXH9
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-16 21:30In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix disconnect vs accept race
Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in recvmsg()"), the mptcp protocol is still prone to a race between disconnect() (or shutdown) and accept.
The root cause is that the mentioned commit checks the msk-level flag, but mptcp_stream_accept() does acquire the msk-level lock, as it can rely directly on the first subflow lock.
As reported by Christoph than can lead to a race where an msk socket is accepted after that mptcp_subflow_queue_clean() releases the listener socket lock and just before it takes destructive actions leading to the following splat:
BUG: kernel NULL pointer dereference, address: 0000000000000012 PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330 Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 <0f> b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89 RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300 RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020 R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880 FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: do_accept+0x1ae/0x260 net/socket.c:1872 __sys_accept4+0x9b/0x110 net/socket.c:1913 __do_sys_accept4 net/socket.c:1954 [inline] __se_sys_accept4 net/socket.c:1951 [inline] __x64_sys_accept4+0x20/0x30 net/socket.c:1951 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Address the issue by temporary removing the pending request socket from the accept queue, so that racing accept() can't touch them.
After depleting the msk - the ssk still exists, as plain TCP sockets, re-insert them into the accept queue, so that later inet_csk_listen_stop() will complete the tcp socket disposal.
{
"affected": [],
"aliases": [
"CVE-2023-53490"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:52Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix disconnect vs accept race\n\nDespite commit 0ad529d9fd2b (\"mptcp: fix possible divide by zero in\nrecvmsg()\"), the mptcp protocol is still prone to a race between\ndisconnect() (or shutdown) and accept.\n\nThe root cause is that the mentioned commit checks the msk-level\nflag, but mptcp_stream_accept() does acquire the msk-level lock,\nas it can rely directly on the first subflow lock.\n\nAs reported by Christoph than can lead to a race where an msk\nsocket is accepted after that mptcp_subflow_queue_clean() releases\nthe listener socket lock and just before it takes destructive\nactions leading to the following splat:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000012\nPGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330\nCode: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 \u003c0f\u003e b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89\nRSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300\nRDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a\nRBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020\nR13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880\nFS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n do_accept+0x1ae/0x260 net/socket.c:1872\n __sys_accept4+0x9b/0x110 net/socket.c:1913\n __do_sys_accept4 net/socket.c:1954 [inline]\n __se_sys_accept4 net/socket.c:1951 [inline]\n __x64_sys_accept4+0x20/0x30 net/socket.c:1951\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nAddress the issue by temporary removing the pending request socket\nfrom the accept queue, so that racing accept() can\u0027t touch them.\n\nAfter depleting the msk - the ssk still exists, as plain TCP sockets,\nre-insert them into the accept queue, so that later inet_csk_listen_stop()\nwill complete the tcp socket disposal.",
"id": "GHSA-4xc2-jwrr-pxh9",
"modified": "2026-01-16T21:30:30Z",
"published": "2025-10-01T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53490"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/511b90e39250135a7f900f1c3afbce25543018a2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2b4c84eb7149f34c0f25f17042d095ba5357d68"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ded9f5551ce5cafa3c41c794428c27a0d0a00542"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4XHQ-99M3-RX24
Vulnerability from github – Published: 2022-05-14 01:16 – Updated: 2025-04-12 13:00Race condition in the Disk Images subsystem in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows local users to obtain sensitive information from kernel memory via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2016-1807"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-05-20T10:59:00Z",
"severity": "MODERATE"
},
"details": "Race condition in the Disk Images subsystem in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows local users to obtain sensitive information from kernel memory via unspecified vectors.",
"id": "GHSA-4xhq-99m3-rx24",
"modified": "2025-04-12T13:00:10Z",
"published": "2022-05-14T01:16:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1807"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=732"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206564"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206566"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206567"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206568"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39929"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/May/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/May/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/May/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/May/msg00004.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/137395/OS-X-iOS-Kernel-IOHDIXControllerUserClient-Use-After-Free.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/90694"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1035890"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4XJ5-VV9X-63JP
Vulnerability from github – Published: 2021-08-25 20:50 – Updated: 2021-08-19 18:56An issue was discovered in the concread crate before 0.2.6 for Rust. Attackers can cause an ARCache data race by sending types that do not implement Send/Sync.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "concread"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35928"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T18:56:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "An issue was discovered in the concread crate before 0.2.6 for Rust. Attackers can cause an ARCache\u003cK,V\u003e data race by sending types that do not implement Send/Sync.",
"id": "GHSA-4xj5-vv9x-63jp",
"modified": "2021-08-19T18:56:22Z",
"published": "2021-08-25T20:50:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35928"
},
{
"type": "WEB",
"url": "https://github.com/kanidm/concread/issues/48"
},
{
"type": "PACKAGE",
"url": "https://github.com/kanidm/concread"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0092.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Data races in concread"
}
GHSA-4XQQ-Q6WP-W8H4
Vulnerability from github – Published: 2021-12-23 00:01 – Updated: 2024-03-25 03:31A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.
{
"affected": [],
"aliases": [
"CVE-2021-44733"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-22T17:15:00Z",
"severity": "HIGH"
},
"details": "A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.",
"id": "GHSA-4xqq-q6wp-w8h4",
"modified": "2024-03-25T03:31:43Z",
"published": "2021-12-23T00:01:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44733"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dfd0743f1d9ea76931510ed150334d571fbab49d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/tee/tee_shm.c"
},
{
"type": "WEB",
"url": "https://github.com/pjlantz/optee-qemu/blob/main/README.md"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/20211215092501.1861229-1-jens.wiklander%40linaro.org"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/20211215092501.1861229-1-jens.wiklander@linaro.org"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220114-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5096"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-525F-HW88-W4M8
Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31A race condition was addressed with additional validation. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access protected user data.
{
"affected": [],
"aliases": [
"CVE-2024-23275"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-08T02:15:49Z",
"severity": "MODERATE"
},
"details": "A race condition was addressed with additional validation. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access protected user data.",
"id": "GHSA-525f-hw88-w4m8",
"modified": "2026-04-02T21:31:38Z",
"published": "2024-03-08T03:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23275"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120884"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120886"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120895"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214083"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214085"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214083"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214085"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/22"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-52FP-QXMC-8Q94
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-05-24 16:58A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition versions 9.11.3-S1 -> 9.11.7-S1.
{
"affected": [],
"aliases": [
"CVE-2019-6471"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T16:15:00Z",
"severity": "MODERATE"
},
"details": "A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -\u003e 9.11.7, 9.12.0 -\u003e 9.12.4-P1, 9.14.0 -\u003e 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition versions 9.11.3-S1 -\u003e 9.11.7-S1.",
"id": "GHSA-52fp-qxmc-8q94",
"modified": "2022-05-24T16:58:21Z",
"published": "2022-05-24T16:58:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6471"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/cve-2019-6471"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K10092301?utm_source=f5support\u0026amp;utm_medium=RSS"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-52P4-CQPV-XM5J
Vulnerability from github – Published: 2022-04-23 00:03 – Updated: 2024-05-01 18:30In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.
{
"affected": [],
"aliases": [
"CVE-2022-29582"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-22T16:15:00Z",
"severity": "HIGH"
},
"details": "In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.",
"id": "GHSA-52p4-cqpv-xm5j",
"modified": "2024-05-01T18:30:34Z",
"published": "2022-04-23T00:03:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29582"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/e677edbcabee849bfdd43f1602bccbecf736a646"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e677edbcabee849bfdd43f1602bccbecf736a646"
},
{
"type": "WEB",
"url": "https://github.com/Ruia-ruia/CVE-2022-29582-Exploit"
},
{
"type": "WEB",
"url": "https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5127"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2022/04/22/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/04/22/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/08/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/24/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.