CWE-367
AllowedTime-of-check Time-of-use (TOCTOU) Race Condition
Abstraction: Base · Status: Incomplete
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
1067 vulnerabilities reference this CWE, most recent first.
GHSA-VPFW-47H7-XJ4G
Vulnerability from github – Published: 2025-05-08 14:45 – Updated: 2025-05-09 14:34Summary
When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.
Details
Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.
Impact
When using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.
Mitigation
- Update to the latest version of
rack, or - Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a
logged_outflag, instead of deleting them, and check this flag on every request to prevent reuse, or - Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.
Related
As this code was moved to rack-session in Rack 3+, see https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj for the equivalent advisory in rack-session (affecting Rack 3+ only).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.13"
},
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32441"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-367",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-08T14:45:18Z",
"nvd_published_at": "2025-05-07T23:15:53Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nWhen using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.\n\n### Details\n\n[Rack session middleware](https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270) prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.\n\n### Impact\n\nWhen using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.\n\n## Mitigation\n\n- Update to the latest version of `rack`, or\n- Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse, or\n- Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.\n\n### Related\n\nAs this code was moved to `rack-session` in Rack 3+, see \u003chttps://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj\u003e for the equivalent advisory in `rack-session` (affecting Rack 3+ only).",
"id": "GHSA-vpfw-47h7-xj4g",
"modified": "2025-05-09T14:34:16Z",
"published": "2025-05-08T14:45:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32441"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-32441.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Rack session gets restored after deletion"
}
GHSA-VR9V-36R3-5PFH
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn't have root access) to tamper with another's installs.
{
"affected": [],
"aliases": [
"CVE-2019-7249"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-31T09:29:00Z",
"severity": "CRITICAL"
},
"details": "In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn\u0027t have root access) to tamper with another\u0027s installs.",
"id": "GHSA-vr9v-36r3-5pfh",
"modified": "2022-05-13T01:22:48Z",
"published": "2022-05-13T01:22:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7249"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/471739"
},
{
"type": "WEB",
"url": "https://keybase.io/docs/secadv/kb004"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106824"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VRCV-RG57-32PR
Vulnerability from github – Published: 2023-02-01 09:30 – Updated: 2023-02-17 00:30A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the BIOS for certain HP PC products which may allow arbitrary code execution, denial of service, and information disclosure. HP is releasing BIOS updates to mitigate the potential vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-27538"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T07:15:00Z",
"severity": "HIGH"
},
"details": "A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the BIOS for certain HP PC products which may allow arbitrary code execution, denial of service, and information disclosure. HP is releasing BIOS updates to mitigate the potential vulnerability.",
"id": "GHSA-vrcv-rg57-32pr",
"modified": "2023-02-17T00:30:30Z",
"published": "2023-02-01T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27538"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_7387020-7387107-16/hpsbhf03827"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VRPG-HFMH-2GWF
Vulnerability from github – Published: 2023-10-20 09:30 – Updated: 2025-03-07 21:31VMware Fusion(13.x prior to 13.5) contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.
{
"affected": [],
"aliases": [
"CVE-2023-34046"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-20T09:15:12Z",
"severity": "HIGH"
},
"details": "VMware Fusion(13.x prior to 13.5) contains a TOCTOU (Time-of-check Time-of-use) \nvulnerability that occurs during installation for the first time (the \nuser needs to drag or copy the application to a folder from the \u0027.dmg\u0027 \nvolume) or when installing an upgrade.\u00a0A malicious actor with local non-administrative user privileges may \nexploit this vulnerability to escalate privileges to root on the system \nwhere Fusion is installed or being installed for the first time.",
"id": "GHSA-vrpg-hfmh-2gwf",
"modified": "2025-03-07T21:31:04Z",
"published": "2023-10-20T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34046"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2023-0022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VRVP-9JR4-5GP9
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:55he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.
{
"affected": [],
"aliases": [
"CVE-2023-44128"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:37Z",
"severity": "LOW"
},
"details": "he vulnerability is to delete arbitrary files in LGInstallService (\"com.lge.lginstallservies\") app. The app contains the exported \"com.lge.lginstallservies.InstallService\" service that exposes an AIDL interface. All its \"installPackage*\" methods are finally calling the \"installPackageVerify()\" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.",
"id": "GHSA-vrvp-9jr4-5gp9",
"modified": "2024-04-04T07:55:28Z",
"published": "2023-09-27T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44128"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com/bulletins/mobile#updateDetails"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VXX3-6HC9-7CC3
Vulnerability from github – Published: 2026-07-02 17:11 – Updated: 2026-07-02 17:13Summary
Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.
Impact
When the affected feature is enabled and reachable, this could run inline shell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
Patched Versions
The first stable patched version is 2026.5.12.
Mitigations
avoid combined shell option forms in allowlisted commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.5.7"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53806"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T17:11:43Z",
"nvd_published_at": "2026-06-11T21:16:22Z",
"severity": "HIGH"
},
"details": "### Summary\n\nCombined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could run inline shell content without the intended allowlist decision. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.12`.\n\n### Mitigations\n\navoid combined shell option forms in allowlisted commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"id": "GHSA-vxx3-6hc9-7cc3",
"modified": "2026-07-02T17:13:24Z",
"published": "2026-07-02T17:11:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53806"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-shell-option-parsing-bypass-in-exec-revalidation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Combined POSIX shell options could confuse exec revalidation"
}
GHSA-W223-MRPP-5VV6
Vulnerability from github – Published: 2026-05-08 06:32 – Updated: 2026-05-08 15:31The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.
{
"affected": [],
"aliases": [
"CVE-2022-26522"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T05:16:08Z",
"severity": "HIGH"
},
"details": "The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.",
"id": "GHSA-w223-mrpp-5vv6",
"modified": "2026-05-08T15:31:19Z",
"published": "2026-05-08T06:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26522"
},
{
"type": "WEB",
"url": "https://www.avast.com/bug-bounty"
},
{
"type": "WEB",
"url": "https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W25H-64GV-GRQ6
Vulnerability from github – Published: 2026-01-14 15:33 – Updated: 2026-03-25 21:30In the Linux kernel, the following vulnerability has been resolved:
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors.
Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions.
Additionally, in store_fan_div, move the calculation of the minimum limit inside the update lock. This ensures that the read-modify-write sequence operates on consistent data.
Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts.
{
"affected": [],
"aliases": [
"CVE-2025-71111"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-14T15:16:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (w83791d) Convert macros to functions to avoid TOCTOU\n\nThe macro FAN_FROM_REG evaluates its arguments multiple times. When used\nin lockless contexts involving shared driver data, this leads to\nTime-of-Check to Time-of-Use (TOCTOU) race conditions, potentially\ncausing divide-by-zero errors.\n\nConvert the macro to a static function. This guarantees that arguments\nare evaluated only once (pass-by-value), preventing the race\nconditions.\n\nAdditionally, in store_fan_div, move the calculation of the minimum\nlimit inside the update lock. This ensures that the read-modify-write\nsequence operates on consistent data.\n\nAdhere to the principle of minimal changes by only converting macros\nthat evaluate arguments multiple times and are used in lockless\ncontexts.",
"id": "GHSA-w25h-64gv-grq6",
"modified": "2026-03-25T21:30:22Z",
"published": "2026-01-14T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71111"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W36G-F98M-WM99
Vulnerability from github – Published: 2026-02-25 15:31 – Updated: 2026-02-25 15:31A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.
This requires several very stringent conditions to be met:
- The attacker must have admin access to the specific datasource prior to its first deletion.
- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
- The attacker must delete the datasource, then someone must recreate it.
- The new datasource must not have the attacker as an admin.
- The new datasource must have the same UID as the prior datasource. These are randomised by default.
- The datasource can now be re-deleted by the attacker.
- Once 30 seconds are up, the attack is spent and cannot be repeated.
- No datasource with any other UID can be attacked.
{
"affected": [],
"aliases": [
"CVE-2026-21725"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T13:16:05Z",
"severity": "LOW"
},
"details": "A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked.",
"id": "GHSA-w36g-f98m-wm99",
"modified": "2026-02-25T15:31:39Z",
"published": "2026-02-25T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21725"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2026-21725"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W37Q-2FXC-MHHR
Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2025-04-28 21:30A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-44651"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T13:15:00Z",
"severity": "HIGH"
},
"details": "A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-w37q-2fxc-mhhr",
"modified": "2025-04-28T21:30:39Z",
"published": "2022-12-12T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44651"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000291770"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1620"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
Mitigation
When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.
Mitigation
Limit the interleaving of operations on files from multiple processes.
Mitigation
If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.
Mitigation
Recheck the resource after the use call to verify that the action was taken appropriately.
Mitigation
Ensure that some environmental locking mechanism can be used to protect resources effectively.
Mitigation
Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.