CWE-413
AllowedImproper Resource Locking
Abstraction: Base · Status: Draft
The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.
27 vulnerabilities reference this CWE, most recent first.
GHSA-6FPP-3M7Q-Q8JC
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:15An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space.
{
"affected": [],
"aliases": [
"CVE-2019-8998"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-413"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-12T16:15:00Z",
"severity": "HIGH"
},
"details": "An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space.",
"id": "GHSA-6fpp-3m7q-q8jc",
"modified": "2024-04-04T01:15:36Z",
"published": "2022-05-24T16:50:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8998"
},
{
"type": "WEB",
"url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8VFH-PG44-PPRG
Vulnerability from github – Published: 2025-08-03 00:30 – Updated: 2025-08-03 00:30A flaw was found in the Linux kernel's ksmbd component. A deadlock is triggered by sending multiple concurrent session setup requests, possibly leading to a denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-32253"
],
"database_specific": {
"cwe_ids": [
"CWE-413"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-02T23:15:24Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Linux kernel\u0027s ksmbd component. A deadlock is triggered by sending multiple concurrent session setup requests, possibly leading to a denial of service.",
"id": "GHSA-8vfh-pg44-pprg",
"modified": "2025-08-03T00:30:24Z",
"published": "2025-08-03T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32253"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-32253"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385886"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FX8Q-9CM5-75V9
Vulnerability from github – Published: 2026-05-20 12:30 – Updated: 2026-05-21 00:30NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.
{
"affected": [],
"aliases": [
"CVE-2026-44608"
],
"database_specific": {
"cwe_ids": [
"CWE-413"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T10:16:28Z",
"severity": "MODERATE"
},
"details": "NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with \u0027rpz-nsip\u0027/\u0027rpz-nsdname\u0027 triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with \u0027rpz-nsip\u0027/\u0027rpz-nsdname\u0027 triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.",
"id": "GHSA-fx8q-9cm5-75v9",
"modified": "2026-05-21T00:30:27Z",
"published": "2026-05-20T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44608"
},
{
"type": "WEB",
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-JW2V-CQ5X-Q68G
Vulnerability from github – Published: 2026-01-20 16:30 – Updated: 2026-02-02 22:21Summary
Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle.
However, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time.
As a result a server would be able to create more databases, allocations, or backups than configured.
Impact
A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pterodactyl/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69198"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-400",
"CWE-413",
"CWE-667"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-20T16:30:17Z",
"nvd_published_at": "2026-01-19T19:16:03Z",
"severity": "MODERATE"
},
"details": "### Summary\nPterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle.\n\nHowever, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time.\n\nAs a result a server would be able to create more databases, allocations, or backups than configured.\n\n### Impact\nA malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system.",
"id": "GHSA-jw2v-cq5x-q68g",
"modified": "2026-02-02T22:21:44Z",
"published": "2026-01-20T16:30:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69198"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/panel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted"
}
GHSA-Q6V3-R63X-Q74W
Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2025-10-07 18:31Improper Resource Locking vulnerability in B&R Industrial Automation Automation Runtime.This issue affects Automation Runtime: from 6.0 before 6.3, before Q4.93.
{
"affected": [],
"aliases": [
"CVE-2025-3450"
],
"database_specific": {
"cwe_ids": [
"CWE-413"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-07T18:15:59Z",
"severity": "CRITICAL"
},
"details": "Improper Resource Locking vulnerability in B\u0026R Industrial Automation Automation Runtime.This issue affects Automation Runtime: from 6.0 before 6.3, before Q4.93.",
"id": "GHSA-q6v3-r63x-q74w",
"modified": "2025-10-07T18:31:11Z",
"published": "2025-10-07T18:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3450"
},
{
"type": "WEB",
"url": "https://www.br-automation.com/fileadmin/SA25P002-f6a69e61.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RCV8-V727-XG26
Vulnerability from github – Published: 2023-05-22 21:30 – Updated: 2024-04-04 04:16The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests to claim already claimed devices. The OvrC cloud platform receives the requests but does not validate if the found devices are already managed by another user.
{
"affected": [],
"aliases": [
"CVE-2023-28649"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-413"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-22T20:15:10Z",
"severity": "HIGH"
},
"details": "\nThe Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests to claim already claimed devices. The OvrC cloud platform receives the requests but does not validate if the found devices are already managed by another user.\n\n\n\n\n\n\n",
"id": "GHSA-rcv8-v727-xg26",
"modified": "2024-04-04T04:16:42Z",
"published": "2023-05-22T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28649"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01"
},
{
"type": "WEB",
"url": "https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWG7-JQ5F-XFCJ
Vulnerability from github – Published: 2022-06-16 00:00 – Updated: 2022-06-29 00:00Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC-Q Series Q03UDECPU all versions, Mitsubishi Electric MELSEC-Q Series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU the first 5 digits of serial number "24051" and prior, Mitsubishi Electric MELSEC-Q Series Q04/06/13/26UDPVCPU the first 5 digits of serial number "24051" and prior, Mitsubishi Electric MELSEC-L series L02/06/26CPU(-P) the first 5 digits of serial number "24051" and prior and Mitsubishi Electric MELSEC-L series L26CPU-(P)BT the first 5 digits of serial number "24051" and prior allows a remote unauthenticated attacker to cause a denial of service (DoS) condition in Ethernet communications by sending specially crafted packets. A system reset of the products is required for recovery.
{
"affected": [],
"aliases": [
"CVE-2022-24946"
],
"database_specific": {
"cwe_ids": [
"CWE-413",
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-15T21:15:00Z",
"severity": "HIGH"
},
"details": "Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC-Q Series Q03UDECPU all versions, Mitsubishi Electric MELSEC-Q Series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU the first 5 digits of serial number \"24051\" and prior, Mitsubishi Electric MELSEC-Q Series Q04/06/13/26UDPVCPU the first 5 digits of serial number \"24051\" and prior, Mitsubishi Electric MELSEC-L series L02/06/26CPU(-P) the first 5 digits of serial number \"24051\" and prior and Mitsubishi Electric MELSEC-L series L26CPU-(P)BT the first 5 digits of serial number \"24051\" and prior allows a remote unauthenticated attacker to cause a denial of service (DoS) condition in Ethernet communications by sending specially crafted packets. A system reset of the products is required for recovery.",
"id": "GHSA-xwg7-jq5f-xfcj",
"modified": "2022-06-29T00:00:29Z",
"published": "2022-06-16T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24946"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU#90895626/index.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU90895626/index.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-01"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-007_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use a non-conflicting privilege scheme.
Mitigation
Use synchronization when locking a resource.
No CAPEC attack patterns related to this CWE.