CWE-367
AllowedTime-of-check Time-of-use (TOCTOU) Race Condition
Abstraction: Base · Status: Incomplete
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
1068 vulnerabilities reference this CWE, most recent first.
GHSA-C6RQ-RJC2-86V2
Vulnerability from github – Published: 2022-02-10 23:33 – Updated: 2021-05-12 20:23A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "chownr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18869"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T20:23:29Z",
"nvd_published_at": "2020-06-15T15:15:00Z",
"severity": "LOW"
},
"details": "A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.",
"id": "GHSA-c6rq-rjc2-86v2",
"modified": "2021-05-12T20:23:29Z",
"published": "2022-02-10T23:33:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18869"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/chownr/issues/14"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/chownr/commit/36a93e3f0a220062c47b237cf6ab6d5f55cd79c9"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/chownr/commit/a631d841022880e5c8d694408a7e96d6d576d0ce"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1611614"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/npm:chownr:20180731"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Time-of-check Time-of-use (TOCTOU) Race Condition in chownr"
}
GHSA-C77V-CR6C-9FXW
Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31Windows Kernel Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-38153"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T18:15:20Z",
"severity": "HIGH"
},
"details": "Windows Kernel Elevation of Privilege Vulnerability",
"id": "GHSA-c77v-cr6c-9fxw",
"modified": "2024-08-13T18:31:16Z",
"published": "2024-08-13T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38153"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38153"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C788-RMFV-WWR2
Vulnerability from github – Published: 2022-05-14 02:28 – Updated: 2022-05-14 02:28Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-1748.
{
"affected": [],
"aliases": [
"CVE-2015-1743"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-06-10T01:59:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka \"Internet Explorer Elevation of Privilege Vulnerability,\" a different vulnerability than CVE-2015-1748.",
"id": "GHSA-c788-rmfv-wwr2",
"modified": "2022-05-14T02:28:46Z",
"published": "2022-05-14T02:28:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1743"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-056"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74996"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1032521"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-15-377"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C82R-C9F7-F5MJ
Vulnerability from github – Published: 2025-04-28 20:25 – Updated: 2025-04-29 13:10Issue
Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET (“Connector”). When using the Easy Logging feature on Linux and macOS, the Connector didn’t correctly verify the permissions of the logging configuration file, potentially allowing an attacker with local access to overwrite the configuration and gain control over logging level and output location.
This vulnerability affects Connector versions 2.1.2 through 4.4.0. Snowflake fixed the issue in version 4.4.1.
Vulnerability Details
When using the Easy Logging feature on Linux and macOS, the Connector reads logging configuration from a user-provided file. On Linux and macOS, the Connector verifies that the configuration file can be written to only by its owner. That check was vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition and failed to verify that the file owner matches the user running the Connector. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location.
Solution
Snowflake released version 4.4.1 of the Snowflake Connector for .NET, which fixes this issue. We recommend users upgrade to version 4.4.1.
Additional Information
If you discover a security vulnerability in one of our products or websites, please report the issue to Snowflake through our Vulnerability Disclosure Program hosted at HackerOne. For more information, please see our Vulnerability Disclosure Policy.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.4.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Snowflake.Data"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.2"
},
{
"fixed": "4.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46326"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-28T20:25:51Z",
"nvd_published_at": "2025-04-28T23:15:44Z",
"severity": "LOW"
},
"details": "# Issue\nSnowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET (\u201cConnector\u201d). When using the Easy Logging feature on Linux and macOS, the Connector didn\u2019t correctly verify the permissions of the logging configuration file, potentially allowing an attacker with local access to overwrite the configuration and gain control over logging level and output location.\n\nThis vulnerability affects Connector versions 2.1.2 through 4.4.0. Snowflake fixed the issue in version 4.4.1.\n\n# Vulnerability Details\nWhen using the Easy Logging feature on Linux and macOS, the Connector reads logging configuration from a user-provided file. On Linux and macOS, the Connector verifies that the configuration file can be written to only by its owner. That check was vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition and failed to verify that the file owner matches the user running the Connector. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location.\n\n# Solution\nSnowflake released version 4.4.1 of the Snowflake Connector for .NET, which fixes this issue. We recommend users upgrade to version 4.4.1.\n\n# Additional Information\nIf you discover a security vulnerability in one of our products or websites, please report the issue to Snowflake through our Vulnerability Disclosure Program hosted at HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).",
"id": "GHSA-c82r-c9f7-f5mj",
"modified": "2025-04-29T13:10:37Z",
"published": "2025-04-28T20:25:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-connector-net/security/advisories/GHSA-c82r-c9f7-f5mj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46326"
},
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-connector-net/commit/393aad3cfa81045a05dd488944db45256e861bff"
},
{
"type": "PACKAGE",
"url": "https://github.com/snowflakedb/snowflake-connector-net"
},
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-connector-net/releases/tag/v4.4.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Snowflake Connector for .NET has race condition when checking access to Easy Logging configuration file"
}
GHSA-C85P-9PVR-F7F5
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval restrictions.
{
"affected": [],
"aliases": [
"CVE-2026-53838"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:55Z",
"severity": "MODERATE"
},
"details": "OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval restrictions.",
"id": "GHSA-c85p-9pvr-f7f5",
"modified": "2026-06-13T00:34:33Z",
"published": "2026-06-13T00:34:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-83w9-h5wv-j9xm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53838"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-node-pairing-state-mutation-via-reconnection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C8H4-QFJ3-V7GC
Vulnerability from github – Published: 2022-05-13 01:39 – Updated: 2022-05-13 01:39An elevation of privilege vulnerability in the NVIDIA video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel 3.10. Android ID: A-34113000. References: N-CVE-2017-0331.
{
"affected": [],
"aliases": [
"CVE-2017-0331"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-02T21:59:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability in the NVIDIA video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel 3.10. Android ID: A-34113000. References: N-CVE-2017-0331.",
"id": "GHSA-c8h4-qfj3-v7gc",
"modified": "2022-05-13T01:39:55Z",
"published": "2022-05-13T01:39:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0331"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-05-01"
},
{
"type": "WEB",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4561"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98150"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C9V3-4PV7-87PR
Vulnerability from github – Published: 2026-03-06 18:04 – Updated: 2026-04-27 13:53A logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw.
Impact
In multi-tenant Kubernetes clusters, this flaw undermines DNS-based segmentation strategies.
Example scenario: 1. ACL blocks access to *.admin.svc.cluster.local 2. A rewrite rule maps public-name → admin.svc.cluster.local 3. An unprivileged pod queries public-name 4. ACL allows the request 5. Rewrite exposes the internal admin service IP
This allows unauthorized service discovery and reconnaissance of restricted internal infrastructure.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
- Reorder the default plugin.cfg so that:
- rewrite and other normalization plugins run before acl, opa, and firewall
- Ensure all access control checks are applied after name normalization.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26017"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-06T18:04:00Z",
"nvd_published_at": "2026-03-06T16:16:10Z",
"severity": "HIGH"
},
"details": "A logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw.\n\n\n### Impact\n\nIn multi-tenant Kubernetes clusters, this flaw undermines DNS-based segmentation strategies.\n\nExample scenario:\n1. ACL blocks access to *.admin.svc.cluster.local\n2. A rewrite rule maps public-name \u2192 admin.svc.cluster.local\n3. An unprivileged pod queries public-name\n4. ACL allows the request\n5. Rewrite exposes the internal admin service IP\n\nThis allows unauthorized service discovery and reconnaissance of restricted internal infrastructure.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\n- Reorder the default plugin.cfg so that:\n - rewrite and other normalization plugins run before acl, opa, and firewall\n- Ensure all access control checks are applied after name normalization.",
"id": "GHSA-c9v3-4pv7-87pr",
"modified": "2026-04-27T13:53:21Z",
"published": "2026-03-06T18:04:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26017"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "CoreDNS ACL Bypass"
}
GHSA-CC5X-973X-6P4M
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-28 00:00Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86.
{
"affected": [],
"aliases": [
"CVE-2021-23977"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-26T03:15:00Z",
"severity": "MODERATE"
},
"details": "Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox \u003c 86.",
"id": "GHSA-cc5x-973x-6p4m",
"modified": "2022-05-28T00:00:22Z",
"published": "2022-05-24T17:43:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23977"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1684761"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202104-10"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CCFH-V7CP-3943
Vulnerability from github – Published: 2024-10-03 15:30 – Updated: 2024-10-03 15:30The AVGUI.exe of AVG/Avast Antivirus before versions before 24.1 can allow a local attacker to escalate privileges via an COM hijack in a time-of-check to time-of-use (TOCTOU) when self protection is disabled.
{
"affected": [],
"aliases": [
"CVE-2024-5803"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-03T15:15:15Z",
"severity": "HIGH"
},
"details": "The AVGUI.exe of AVG/Avast Antivirus before versions before 24.1 can allow a local attacker to escalate privileges via an COM hijack in a time-of-check to time-of-use (TOCTOU) when self protection is disabled.",
"id": "GHSA-ccfh-v7cp-3943",
"modified": "2024-10-03T15:30:50Z",
"published": "2024-10-03T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5803"
},
{
"type": "WEB",
"url": "https://support.norton.com/sp/static/external/tools/security-advisories.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CF5W-M4V7-4W22
Vulnerability from github – Published: 2023-02-15 03:30 – Updated: 2023-02-23 18:31An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.
{
"affected": [],
"aliases": [
"CVE-2022-32953"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-15T03:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.",
"id": "GHSA-cf5w-m4v7-4w22",
"modified": "2023-02-23T18:31:05Z",
"published": "2023-02-15T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32953"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge/SA-2023013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
Mitigation
When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.
Mitigation
Limit the interleaving of operations on files from multiple processes.
Mitigation
If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.
Mitigation
Recheck the resource after the use call to verify that the action was taken appropriately.
Mitigation
Ensure that some environmental locking mechanism can be used to protect resources effectively.
Mitigation
Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.