Common Weakness Enumeration

CWE-367

Allowed

Time-of-check Time-of-use (TOCTOU) Race Condition

Abstraction: Base · Status: Incomplete

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

1063 vulnerabilities reference this CWE, most recent first.

GHSA-QH5H-HJQR-259W

Vulnerability from github – Published: 2023-03-07 21:30 – Updated: 2023-03-13 06:30
VLAI
Details

In ion, there is a possible escalation of privilege due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07559778; Issue ID: ALPS07559778.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-07T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In ion, there is a possible escalation of privilege due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07559778; Issue ID: ALPS07559778.",
  "id": "GHSA-qh5h-hjqr-259w",
  "modified": "2023-03-13T06:30:25Z",
  "published": "2023-03-07T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20623"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/March-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHQH-XP2P-XP7W

Vulnerability from github – Published: 2022-11-15 12:00 – Updated: 2022-11-18 18:30
VLAI
Details

DMA attacks on the parameter buffer used by the VariableRuntimeDxe software SMI handler could lead to a TOCTOU attack. DMA attacks on the parameter buffer used by the software SMI handler used by the driver VariableRuntimeDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23. CWE-367 CWE-367 Report at: https://www.insyde.com/security-pledge/SA-2022056

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-15T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "DMA attacks on the parameter buffer used by the VariableRuntimeDxe software SMI handler could lead to a TOCTOU attack. DMA attacks on the parameter buffer used by the software SMI handler used by the driver VariableRuntimeDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23. CWE-367 CWE-367 Report at: https://www.insyde.com/security-pledge/SA-2022056",
  "id": "GHSA-qhqh-xp2p-xp7w",
  "modified": "2022-11-18T18:30:25Z",
  "published": "2022-11-15T12:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33986"
    },
    {
      "type": "WEB",
      "url": "https://www.insyde.com/security-pledge"
    },
    {
      "type": "WEB",
      "url": "https://www.insyde.com/security-pledge/SA-2022056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJ34-24MC-V6WC

Vulnerability from github – Published: 2022-12-08 18:30 – Updated: 2022-12-12 18:30
VLAI
Details

TOCTOU vulnerability in Samsung decoding library for video thumbnails prior to SMR Dec-2022 Release 1 allows local attacker to perform Out-Of-Bounds Write.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-08T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "TOCTOU vulnerability in Samsung decoding library for video thumbnails prior to SMR Dec-2022 Release 1 allows local attacker to perform Out-Of-Bounds Write.",
  "id": "GHSA-qj34-24mc-v6wc",
  "modified": "2022-12-12T18:30:29Z",
  "published": "2022-12-08T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39908"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJFP-56Q2-GXWJ

Vulnerability from github – Published: 2023-08-08 12:30 – Updated: 2024-04-04 06:38
VLAI
Details

The buffer obtained from kernel APIs such as cam_mem_get_cpu_buf() may be readable/writable in userspace after kernel accesses it. In other words, user mode may race and modify the packet header (e.g. header.count), causing checks (e.g. size checks) in kernel code to be invalid. This may lead to out-of-bounds read/write issues.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-08T10:15:14Z",
    "severity": "HIGH"
  },
  "details": "The buffer obtained from kernel APIs such as cam_mem_get_cpu_buf() may be readable/writable in userspace after kernel accesses it. In other words, user mode may race and modify the packet header (e.g. header.count), causing checks (e.g. size checks) in kernel code to be invalid. This may lead to out-of-bounds read/write issues.",
  "id": "GHSA-qjfp-56q2-gxwj",
  "modified": "2024-04-04T06:38:39Z",
  "published": "2023-08-08T12:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28576"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJQ9-MPCC-F8CR

Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-12 21:31
VLAI
Details

A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. A shortcut may be able to bypass sandbox restrictions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T23:16:10Z",
    "severity": "CRITICAL"
  },
  "details": "A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. A shortcut may be able to bypass sandbox restrictions.",
  "id": "GHSA-qjq9-mpcc-f8cr",
  "modified": "2026-02-12T21:31:26Z",
  "published": "2026-02-12T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20677"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126346"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126347"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126348"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126350"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126353"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QMGC-5H2G-MVRW

Vulnerability from github – Published: 2026-01-13 18:44 – Updated: 2026-01-13 18:44
VLAI
Summary
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Details

Vulnerability Summary

Title: Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock

Affected Component: filelock package - SoftFileLock class File: src/filelock/_soft.py lines 17-27 CWE: CWE-362, CWE-367, CWE-59


Description

A TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.

The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.

Attack Scenario

1. Lock attempts to acquire on /tmp/app.lock
2. Permission validation passes
3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock
4. os.open() tries to create lock file
5. Lock operates on attacker-controlled target file or fails

Impact

What kind of vulnerability is it? Who is impacted?

This is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability affecting any application using SoftFileLock for inter-process synchronization.

Affected Users: - Applications using filelock.SoftFileLock directly - Applications using the fallback FileLock on systems without fcntl support (e.g., GraalPy)

Consequences: - Silent lock acquisition failure - applications may not detect that exclusive resource access is not guaranteed - Denial of Service - attacker can prevent lock file creation by maintaining symlink - Resource serialization failures - multiple processes may acquire "locks" simultaneously - Unintended file operations - lock could operate on attacker-controlled files

CVSS v4.0 Score: 5.6 (Medium) Vector: CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Attack Requirements: - Local filesystem access to the directory containing lock files - Permission to create symlinks (standard for regular unprivileged users on Unix/Linux) - Ability to time the symlink creation during the narrow race window


Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the vulnerability has been patched by adding the O_NOFOLLOW flag to prevent symlink following during lock file creation.

Patched Version: Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0)

Mitigation Details: - The O_NOFOLLOW flag is added conditionally and gracefully degrades on platforms without support - On platforms with O_NOFOLLOW support (most modern systems): symlink attacks are completely prevented - On platforms without O_NOFOLLOW (e.g., GraalPy): TOCTOU window remains but is documented

Users should: - Upgrade to the patched version when available - For critical deployments, consider using UnixFileLock or WindowsFileLock instead of the fallback SoftFileLock


Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

For users unable to update immediately:

  1. Avoid SoftFileLock in security-sensitive contexts - use UnixFileLock or WindowsFileLock when available (these were already patched for CVE-2025-68146)

  2. Restrict filesystem permissions - prevent untrusted users from creating symlinks in lock file directories: bash chmod 700 /path/to/lock/directory

  3. Use process isolation - isolate untrusted code from lock file paths to prevent symlink creation

  4. Monitor lock operations - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations


References

Are there any links users can visit to find out more?

  • Similar Vulnerability: CVE-2025-68146 (TOCTOU vulnerability in UnixFileLock/WindowsFileLock)
  • CWE-362 (Concurrent Execution using Shared Resource): https://cwe.mitre.org/data/definitions/362.html
  • CWE-367 (Time-of-check Time-of-use Race Condition): https://cwe.mitre.org/data/definitions/367.html
  • CWE-59 (Improper Link Resolution Before File Access): https://cwe.mitre.org/data/definitions/59.html
  • O_NOFOLLOW documentation: https://man7.org/linux/man-pages/man2/open.2.html
  • GitHub Repository: https://github.com/tox-dev/filelock

Reported by: George Tsigourakos (@tsigouris007)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "filelock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.20.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-367",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T18:44:55Z",
    "nvd_published_at": "2026-01-10T06:15:52Z",
    "severity": "MODERATE"
  },
  "details": "## Vulnerability Summary\n\n**Title:** Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock\n\n**Affected Component:** `filelock` package - `SoftFileLock` class\n**File:** `src/filelock/_soft.py` lines 17-27\n**CWE:** CWE-362, CWE-367, CWE-59\n\n---\n\n## Description\n\nA TOCTOU race condition vulnerability exists in the `SoftFileLock` implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.\n\nThe vulnerability occurs in the `_acquire()` method between `raise_on_not_writable_file()` (permission check) and `os.open()` (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.\n\n### Attack Scenario\n\n```\n1. Lock attempts to acquire on /tmp/app.lock\n2. Permission validation passes\n3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock\n4. os.open() tries to create lock file\n5. Lock operates on attacker-controlled target file or fails\n```\n\n---\n\n## Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is a **Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability** affecting any application using `SoftFileLock` for inter-process synchronization.\n\n**Affected Users:**\n- Applications using `filelock.SoftFileLock` directly\n- Applications using the fallback `FileLock` on systems without `fcntl` support (e.g., GraalPy)\n\n**Consequences:**\n- **Silent lock acquisition failure** - applications may not detect that exclusive resource access is not guaranteed\n- **Denial of Service** - attacker can prevent lock file creation by maintaining symlink\n- **Resource serialization failures** - multiple processes may acquire \"locks\" simultaneously\n- **Unintended file operations** - lock could operate on attacker-controlled files\n\n**CVSS v4.0 Score:** 5.6 (Medium)\n**Vector:** CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N\n\n**Attack Requirements:**\n- Local filesystem access to the directory containing lock files\n- Permission to create symlinks (standard for regular unprivileged users on Unix/Linux)\n- Ability to time the symlink creation during the narrow race window\n\n---\n\n## Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\nYes, the vulnerability has been patched by adding the `O_NOFOLLOW` flag to prevent symlink following during lock file creation.\n\n**Patched Version:** Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0)\n\n**Mitigation Details:**\n- The `O_NOFOLLOW` flag is added conditionally and gracefully degrades on platforms without support\n- On platforms with `O_NOFOLLOW` support (most modern systems): symlink attacks are completely prevented\n- On platforms without `O_NOFOLLOW` (e.g., GraalPy): TOCTOU window remains but is documented\n\n**Users should:**\n- Upgrade to the patched version when available\n- For critical deployments, consider using `UnixFileLock` or `WindowsFileLock` instead of the fallback `SoftFileLock`\n\n---\n\n## Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nFor users unable to update immediately:\n\n1. **Avoid `SoftFileLock` in security-sensitive contexts** - use `UnixFileLock` or `WindowsFileLock` when available (these were already patched for CVE-2025-68146)\n\n2. **Restrict filesystem permissions** - prevent untrusted users from creating symlinks in lock file directories:\n   ```bash\n   chmod 700 /path/to/lock/directory\n   ```\n\n3. **Use process isolation** - isolate untrusted code from lock file paths to prevent symlink creation\n\n4. **Monitor lock operations** - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations\n\n---\n\n## References\n\n_Are there any links users can visit to find out more?_\n\n- **Similar Vulnerability:** CVE-2025-68146 (TOCTOU vulnerability in UnixFileLock/WindowsFileLock)\n- **CWE-362 (Concurrent Execution using Shared Resource):** https://cwe.mitre.org/data/definitions/362.html\n- **CWE-367 (Time-of-check Time-of-use Race Condition):** https://cwe.mitre.org/data/definitions/367.html\n- **CWE-59 (Improper Link Resolution Before File Access):** https://cwe.mitre.org/data/definitions/59.html\n- **O_NOFOLLOW documentation:** https://man7.org/linux/man-pages/man2/open.2.html\n- **GitHub Repository:** https://github.com/tox-dev/filelock\n\n---\n\n**Reported by:** George Tsigourakos (@tsigouris007)",
  "id": "GHSA-qmgc-5h2g-mvrw",
  "modified": "2026-01-13T18:44:55Z",
  "published": "2026-01-13T18:44:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22701"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tox-dev/filelock"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock"
}

GHSA-QMHJ-WG3R-X2H5

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2025-05-22 21:30
VLAI
Details

Medtronic MyCareLink Smart 25000 all versions are vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited an attacker could remotely execute code on the MCL Smart Patient Reader device, leading to control of the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-14T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Medtronic MyCareLink Smart 25000 all versions are vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited an attacker could remotely execute code on the MCL Smart Patient Reader device, leading to control of the device.",
  "id": "GHSA-qmhj-wg3r-x2h5",
  "modified": "2025-05-22T21:30:31Z",
  "published": "2022-05-24T17:36:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27252"
    },
    {
      "type": "WEB",
      "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-smart-security-vulnerability-patch.html"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-345-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPPM-G56G-FPVP

Vulnerability from github – Published: 2026-01-20 18:58 – Updated: 2026-01-21 21:11
VLAI
Summary
Turbo Frame responses can restore stale session cookies
Details

Summary

A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.

Details

Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.

This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.

### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state

The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.

Patches

Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared

Workarounds

  • Use server-side session storage instead of a cookie store like Rails's cookie store
  • Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions

References

  • https://github.com/hotwired/turbo/pull/1399
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.20"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@hotwired/turbo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-367",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T18:58:15Z",
    "nvd_published_at": "2026-01-20T19:15:49Z",
    "severity": "LOW"
  },
  "details": "###  Summary\nA race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.\n\n### Details\nBrowsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.\n\nThis condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.\n\n  ### Impact\n Applications using Turbo Frames with cookie-based session storage may experience:\n  - Session state reversion after logout\n  - Unintended restoration of previous authentication state\n\nThe impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.\n\n###  Patches\n  Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when:\n  - The frame element is disconnected from the DOM\n  - The frame\u0027s disabled attribute is set\n  - The frame\u0027s src attribute is cleared\n\n###  Workarounds\n  - Use server-side session storage instead of a cookie store like Rails\u0027s cookie store\n  - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions\n\n###  References\n  - https://github.com/hotwired/turbo/pull/1399",
  "id": "GHSA-qppm-g56g-fpvp",
  "modified": "2026-01-21T21:11:06Z",
  "published": "2026-01-20T18:58:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/pull/1399"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/commit/899df356e9f4b3303cca217cd14b3f846edda10d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hotwired/turbo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/releases/tag/v8.0.21"
    },
    {
      "type": "WEB",
      "url": "https://turbo.hotwired.dev/handbook/frames"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Turbo Frame responses can restore stale session cookies"
}

GHSA-QRXG-7WRQ-3G62

Vulnerability from github – Published: 2023-07-19 03:30 – Updated: 2024-04-04 06:16
VLAI
Details

IBM Spectrum Protect 8.1.0.0 through 8.1.17.0 could allow a local user to cause a denial of service due to due to improper time-of-check to time-of-use functionality. IBM X-Force ID: 256012.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33832"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-19T01:15:10Z",
    "severity": "MODERATE"
  },
  "details": "IBM Spectrum Protect 8.1.0.0 through 8.1.17.0 could allow a local user to cause a denial of service due to due to improper time-of-check to time-of-use functionality.  IBM X-Force ID:  256012.",
  "id": "GHSA-qrxg-7wrq-3g62",
  "modified": "2024-04-04T06:16:39Z",
  "published": "2023-07-19T03:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33832"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/256012"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7011761"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QV2H-R7HX-HC93

Vulnerability from github – Published: 2023-06-27 00:30 – Updated: 2024-04-04 05:11
VLAI
Details

A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations.

Please note: a local attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

This is similar to, but not identical to CVE-2023-32554.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32555"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-26T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: a local attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis is similar to, but not identical to CVE-2023-32554.",
  "id": "GHSA-qv2h-r7hx-hc93",
  "modified": "2024-04-04T05:11:27Z",
  "published": "2023-06-27T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32555"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/dcx/s/solution/000293108?language=en_US"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-656"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.

Mitigation
Implementation

When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Mitigation
Architecture and Design

Limit the interleaving of operations on files from multiple processes.

Mitigation
Implementation Architecture and Design

If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.

Mitigation
Implementation

Recheck the resource after the use call to verify that the action was taken appropriately.

Mitigation
Architecture and Design

Ensure that some environmental locking mechanism can be used to protect resources effectively.

Mitigation
Implementation

Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.

CAPEC-27: Leveraging Race Conditions via Symbolic Links

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.