CWE-367
AllowedTime-of-check Time-of-use (TOCTOU) Race Condition
Abstraction: Base · Status: Incomplete
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
1063 vulnerabilities reference this CWE, most recent first.
GHSA-Q6M9-XJ2W-XMRC
Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-04-30 17:30The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "coreutils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35360"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-30T17:30:18Z",
"nvd_published_at": "2026-04-22T17:16:38Z",
"severity": "MODERATE"
},
"details": "The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.",
"id": "GHSA-q6m9-xj2w-xmrc",
"modified": "2026-04-30T17:30:18Z",
"published": "2026-04-22T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35360"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/issues/10019"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition"
}
GHSA-Q6QM-PXCX-GJ5H
Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-08-06 00:00A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects kernel versions prior to 5.16 rc2.
{
"affected": [],
"aliases": [
"CVE-2021-4001"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-21T19:15:00Z",
"severity": "MODERATE"
},
"details": "A race condition was found in the Linux kernel\u0027s ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects kernel versions prior to 5.16 rc2.",
"id": "GHSA-q6qm-pxcx-gj5h",
"modified": "2022-08-06T00:00:53Z",
"published": "2022-01-22T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4001"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025645"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=353050be4c19e102178ccc05988101887c25ae53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q86M-697P-H7FH
Vulnerability from github – Published: 2026-03-19 03:30 – Updated: 2026-03-19 16:24Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-q399-23r3-hfx4. This link is maintained to preserve external references.
Original Description
OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T16:24:36Z",
"nvd_published_at": "2026-03-19T02:16:05Z",
"severity": "MODERATE"
},
"details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-q399-23r3-hfx4. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution.",
"id": "GHSA-q86m-697p-h7fh",
"modified": "2026-03-19T16:24:36Z",
"published": "2026-03-19T03:30:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31997"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind",
"withdrawn": "2026-03-19T16:24:36Z"
}
GHSA-Q945-MJ3H-45F2
Vulnerability from github – Published: 2023-04-25 00:30 – Updated: 2024-01-19 18:30The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
{
"affected": [],
"aliases": [
"CVE-2023-2007"
],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-24T23:15:18Z",
"severity": "HIGH"
},
"details": "The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.",
"id": "GHSA-q945-mj3h-45f2",
"modified": "2024-01-19T18:30:22Z",
"published": "2023-04-25T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2007"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/b04e75a4a8a81887386a0d2dbf605a48e779d2a0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240119-0011"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCC4-P59M-P54M
Vulnerability from github – Published: 2026-03-12 14:21 – Updated: 2026-03-12 14:21Summary
A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.
Affected Packages / Versions
- Package: npm
openclaw - Affected versions:
<= 2026.2.25 - Latest published npm version included in affected range:
2026.2.25(checked on February 26, 2026) - Patched version (pre-set for release):
2026.2.26
Technical Details
In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including apply_patch), this could allow writes to resolve outside the configured workspace/sandbox boundary.
The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.
Impact
- Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.
- Primary impact is integrity of host-side files reachable from that path resolution.
Fix Commit(s)
4fd29a35bb85a1898ebff518364c467058b50e14
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits.
Thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.25"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:21:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Affected versions: `\u003c= 2026.2.25`\n- Latest published npm version included in affected range: `2026.2.25` (checked on February 26, 2026)\n- Patched version (pre-set for release): `2026.2.26`\n\n### Technical Details\nIn affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including `apply_patch`), this could allow writes to resolve outside the configured workspace/sandbox boundary.\n\nThe fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.\n\n### Impact\n- Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.\n- Primary impact is integrity of host-side files reachable from that path resolution.\n\n### Fix Commit(s)\n- `4fd29a35bb85a1898ebff518364c467058b50e14`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, the advisory can be published without further field edits.\n\nThanks @tdjackey for reporting.",
"id": "GHSA-qcc4-p59m-p54m",
"modified": "2026-03-12T14:21:54Z",
"published": "2026-03-12T14:21:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/4fd29a35bb85a1898ebff518364c467058b50e14"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary"
}
GHSA-QF6V-76FQ-P8R9
Vulnerability from github – Published: 2023-08-07 06:30 – Updated: 2024-04-04 06:34In thermal, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07648734; Issue ID: ALPS07648734.
{
"affected": [],
"aliases": [
"CVE-2023-20787"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-07T04:15:13Z",
"severity": "MODERATE"
},
"details": "In thermal, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07648734; Issue ID: ALPS07648734.",
"id": "GHSA-qf6v-76fq-p8r9",
"modified": "2024-04-04T06:34:51Z",
"published": "2023-08-07T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20787"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/August-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QFJH-MFRQ-8J64
Vulnerability from github – Published: 2026-03-05 15:30 – Updated: 2026-04-01 15:30Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This may result in deletion of protected files or directories and can lead to local privilege escalation, denial of service, or system integrity compromise depending on the affected target.
{
"affected": [],
"aliases": [
"CVE-2026-27750"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T15:16:12Z",
"severity": "HIGH"
},
"details": "Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This may result in deletion of protected files or directories and can lead to local privilege escalation, denial of service, or system integrity compromise depending on the affected target.",
"id": "GHSA-qfjh-mfrq-8j64",
"modified": "2026-04-01T15:30:56Z",
"published": "2026-03-05T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27750"
},
{
"type": "WEB",
"url": "https://blog.quarkslab.com/avira-deserialize-delete-and-escalate-the-proper-way-to-use-an-av.html"
},
{
"type": "WEB",
"url": "https://support.avira.com/hc/en-us/articles/360010656158-Current-Avira-versions"
},
{
"type": "WEB",
"url": "https://www.avira.com/en/internet-security"
},
{
"type": "WEB",
"url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/avira-internet-security-optimizer-toctou"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QG2Q-3Q8W-8V7R
Vulnerability from github – Published: 2024-02-15 06:31 – Updated: 2024-08-29 21:31The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption.
On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.
{
"affected": [],
"aliases": [
"CVE-2022-23084"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-15T05:15:08Z",
"severity": "HIGH"
},
"details": "The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption.\n\nOn systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.",
"id": "GHSA-qg2q-3q8w-8v7r",
"modified": "2024-08-29T21:31:01Z",
"published": "2024-02-15T06:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23084"
},
{
"type": "WEB",
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240419-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QG92-VXJM-X4Q9
Vulnerability from github – Published: 2026-06-09 18:31 – Updated: 2026-06-09 18:31Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.
{
"affected": [],
"aliases": [
"CVE-2026-49958"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:49Z",
"severity": "MODERATE"
},
"details": "Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.",
"id": "GHSA-qg92-vxjm-x4q9",
"modified": "2026-06-09T18:31:01Z",
"published": "2026-06-09T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49958"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/pull/3702"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/pull/3756"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/commit/4580f584964d640b95c4ffc9245a21ab926bec73"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.51.303"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hermes-webui-toctou-race-condition-via-git-discard"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QH36-44JV-C8XJ
Vulnerability from github – Published: 2022-02-02 00:01 – Updated: 2026-06-09 10:51As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane. All versions of Kubernetes are impacted, and there is no fix in place.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.21.0"
},
{
"last_affected": "1.21.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.20.0"
},
{
"last_affected": "1.20.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.19.0"
},
{
"last_affected": "1.19.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.18.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8562"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-03T17:52:40Z",
"nvd_published_at": "2022-02-01T11:15:00Z",
"severity": "LOW"
},
"details": "As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane. All versions of Kubernetes are impacted, and there is no fix in place.",
"id": "GHSA-qh36-44jv-c8xj",
"modified": "2026-06-09T10:51:51Z",
"published": "2022-02-02T00:01:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8562"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/101493"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/101493#issuecomment-2272095629"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOY"
},
{
"type": "WEB",
"url": "https://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220225-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Potential proxy IP restriction bypass in Kubernetes"
}
Mitigation
The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
Mitigation
When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.
Mitigation
Limit the interleaving of operations on files from multiple processes.
Mitigation
If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.
Mitigation
Recheck the resource after the use call to verify that the action was taken appropriately.
Mitigation
Ensure that some environmental locking mechanism can be used to protect resources effectively.
Mitigation
Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.