CWE-833
AllowedDeadlock
Abstraction: Base · Status: Incomplete
The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
39 vulnerabilities reference this CWE, most recent first.
GHSA-3HG2-R75X-G69M
Vulnerability from github – Published: 2023-09-18 19:20 – Updated: 2024-11-22 20:35Impact
Locks of the type @nonreentrant("") or @nonreentrant('') do not produce reentrancy checks at runtime.
@nonreentrant("") # unprotected
@external
def bar():
pass
@nonreentrant("lock") # protected
@external
def foo():
pass
Patches
Patched in #3605
Workarounds
The lock name should be a non-empty string.
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vyper"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.9"
},
{
"fixed": "0.3.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42441"
],
"database_specific": {
"cwe_ids": [
"CWE-667",
"CWE-833"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-18T19:20:55Z",
"nvd_published_at": "2023-09-18T21:16:09Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nLocks of the type `@nonreentrant(\"\")` or `@nonreentrant(\u0027\u0027)` do not produce reentrancy checks at runtime.\n\n```Vyper\n@nonreentrant(\"\") # unprotected\n@external\ndef bar():\n pass\n\n@nonreentrant(\"lock\") # protected\n@external\ndef foo():\n pass\n```\n### Patches\n\nPatched in #3605\n\n### Workarounds\n\nThe lock name should be a non-empty string.\n\n### References\n_Are there any links users can visit to find out more?_\n",
"id": "GHSA-3hg2-r75x-g69m",
"modified": "2024-11-22T20:35:07Z",
"published": "2023-09-18T19:20:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42441"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/pull/3605"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/commit/0b740280c1e3c5528a20d47b29831948ddcc6d83"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-305.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vyperlang/vyper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vyper has incorrect re-entrancy lock when key is empty string"
}
GHSA-54QX-6C6V-96W4
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32Windows Security Account Manager (SAM) Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-21313"
],
"database_specific": {
"cwe_ids": [
"CWE-833"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:55Z",
"severity": "MODERATE"
},
"details": "Windows Security Account Manager (SAM) Denial of Service Vulnerability",
"id": "GHSA-54qx-6c6v-96w4",
"modified": "2025-01-14T18:32:04Z",
"published": "2025-01-14T18:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21313"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5W2P-JHH5-RPR3
Vulnerability from github – Published: 2024-10-11 18:32 – Updated: 2024-10-11 18:32A Deadlock vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).
When a large amount of traffic is processed by ATP Cloud inspection, a deadlock can occur which will result in a PFE crash and restart. Whether the crash occurs, depends on system internal timing that is outside the attackers control.
This issue affects Junos OS on SRX Series:
- All versions before 21.3R3-S1,
- 21.4 versions before 21.4R3,
- 22.1 versions before 22.1R2,
- 22.2 versions before 22.2R1-S2, 22.2R2.
{
"affected": [],
"aliases": [
"CVE-2024-47506"
],
"database_specific": {
"cwe_ids": [
"CWE-833"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-11T16:15:12Z",
"severity": "HIGH"
},
"details": "A Deadlock vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).\n\nWhen a large amount of traffic is processed by ATP Cloud inspection, a deadlock can occur which will result in a PFE crash and restart. Whether the crash occurs, depends on system internal timing that is outside the attackers control.\n\n\n\nThis issue affects Junos OS on SRX Series:\n\n\n\n * All versions before 21.3R3-S1,\n * 21.4 versions before 21.4R3,\n * 22.1 versions before 22.1R2,\n * 22.2 versions before 22.2R1-S2, 22.2R2.",
"id": "GHSA-5w2p-jhh5-rpr3",
"modified": "2024-10-11T18:32:49Z",
"published": "2024-10-11T18:32:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47506"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA88137"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-668P-X3M7-8W6V
Vulnerability from github – Published: 2024-01-17 18:31 – Updated: 2024-01-24 21:30A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.
{
"affected": [],
"aliases": [
"CVE-2024-0639"
],
"database_specific": {
"cwe_ids": [
"CWE-667",
"CWE-833"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-17T16:15:46Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel\u2019s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.",
"id": "GHSA-668p-x3m7-8w6v",
"modified": "2024-01-24T21:30:32Z",
"published": "2024-01-17T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0639"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/6feb37b3b06e9049e20dcf7e23998f92c9c5be9a"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0639"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258754"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7WC5-9F3F-6F5R
Vulnerability from github – Published: 2025-07-30 18:31 – Updated: 2025-07-30 18:31Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) :
- Devolutions Server 2025.2.5.0 and earlier
{
"affected": [],
"aliases": [
"CVE-2025-8312"
],
"database_specific": {
"cwe_ids": [
"CWE-833"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-30T16:15:29Z",
"severity": "HIGH"
},
"details": "Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) :\n\n * \nDevolutions Server 2025.2.5.0 and earlier",
"id": "GHSA-7wc5-9f3f-6f5r",
"modified": "2025-07-30T18:31:36Z",
"published": "2025-07-30T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8312"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2025-0013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8J39-C987-FRXV
Vulnerability from github – Published: 2025-10-28 09:31 – Updated: 2025-10-28 09:31Webserver crash caused by scanning on TCP port 80 in Softing Industrial Automation GmbH gateways and switch.This issue affects
smartLink HW-PN: from 1.02 through 1.03
smartLink HW-DP: 1.31
{
"affected": [],
"aliases": [
"CVE-2025-10150"
],
"database_specific": {
"cwe_ids": [
"CWE-833"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-28T08:15:32Z",
"severity": "HIGH"
},
"details": "Webserver crash caused by scanning on TCP port 80 in Softing Industrial Automation GmbH gateways and switch.This issue affects\n\nsmartLink HW-PN: from 1.02 through 1.03\n\nsmartLink HW-DP: 1.31",
"id": "GHSA-8j39-c987-frxv",
"modified": "2025-10-28T09:31:54Z",
"published": "2025-10-28T09:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10150"
},
{
"type": "WEB",
"url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-10150.html"
},
{
"type": "WEB",
"url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-10150.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-9H59-P45G-445H
Vulnerability from github – Published: 2026-03-26 22:13 – Updated: 2026-03-27 21:51Summary
A deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted.
Impact
An attacker with access to the N2 interface can cause Ella Core to hang, resulting in a denial of service for all subscribers.
Fix
Add deferred Radio cleanup in serveConn SCTP server so that every connection exit path removes the radio. Remove the stale-entry scan from SCTP Notification handling.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ellanetworks/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33904"
],
"database_specific": {
"cwe_ids": [
"CWE-833"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T22:13:33Z",
"nvd_published_at": "2026-03-27T21:17:26Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA deadlock in the AMF\u0027s SCTP notification handler causes the entire AMF control plane to hang until the process is restarted. \n\n## Impact\n\nAn attacker with access to the N2 interface can cause Ella Core to hang, resulting in a denial of service for all subscribers.\n\n## Fix\n\nAdd deferred Radio cleanup in serveConn SCTP server so that every connection exit path removes the radio. Remove the stale-entry scan from SCTP Notification handling.",
"id": "GHSA-9h59-p45g-445h",
"modified": "2026-03-27T21:51:35Z",
"published": "2026-03-26T22:13:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-9h59-p45g-445h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33904"
},
{
"type": "WEB",
"url": "https://github.com/ellanetworks/core/commit/999f606c5cae261471d9e3f063d7ecd1bd754076"
},
{
"type": "PACKAGE",
"url": "https://github.com/ellanetworks/core"
},
{
"type": "WEB",
"url": "https://github.com/ellanetworks/core/releases/tag/v1.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ella Core has a Denial of Service via SCTP connection cleanup deadlock "
}
GHSA-F886-X4W4-9RWJ
Vulnerability from github – Published: 2023-04-24 06:31 – Updated: 2024-03-25 03:31An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.
{
"affected": [],
"aliases": [
"CVE-2023-31084"
],
"database_specific": {
"cwe_ids": [
"CWE-833"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-24T06:15:07Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(\u0026fepriv-\u003esem) is called. However, wait_event_interruptible would put the process to sleep, and down(\u0026fepriv-\u003esem) may block the process.",
"id": "GHSA-f886-x4w4-9rwj",
"modified": "2024-03-25T03:31:44Z",
"published": "2023-04-24T06:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31084"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b8c75e4a1b325ea0a9433fa8834be97b5836b946"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HIEOLEOURP4BJZMIL7UGGPYRRB44UDN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AOATNX5UFL7V7W2QDIQKOHFFHYKWFP4W"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HIEOLEOURP4BJZMIL7UGGPYRRB44UDN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AOATNX5UFL7V7W2QDIQKOHFFHYKWFP4W"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw%40mail.gmail.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230929-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5448"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H63J-VF47-M3CH
Vulnerability from github – Published: 2025-07-17 15:32 – Updated: 2025-07-17 15:32When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock.
{
"affected": [],
"aliases": [
"CVE-2025-1713"
],
"database_specific": {
"cwe_ids": [
"CWE-833"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-17T14:15:30Z",
"severity": "HIGH"
},
"details": "When setting up interrupt remapping for legacy PCI(-X) devices,\nincluding PCI(-X) bridges, a lookup of the upstream bridge is required.\nThis lookup, itself involving acquiring of a lock, is done in a context\nwhere acquiring that lock is unsafe. This can lead to a deadlock.",
"id": "GHSA-h63j-vf47-m3ch",
"modified": "2025-07-17T15:32:15Z",
"published": "2025-07-17T15:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1713"
},
{
"type": "WEB",
"url": "https://xenbits.xenproject.org/xsa/advisory-467.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/27/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/27/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/28/1"
},
{
"type": "WEB",
"url": "http://xenbits.xen.org/xsa/advisory-467.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H65W-P466-MPMX
Vulnerability from github – Published: 2026-05-28 21:32 – Updated: 2026-05-28 21:32Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.
{
"affected": [],
"aliases": [
"CVE-2026-47334"
],
"database_specific": {
"cwe_ids": [
"CWE-833"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T19:16:42Z",
"severity": "MODERATE"
},
"details": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
"id": "GHSA-h65w-p466-mpmx",
"modified": "2026-05-28T21:32:02Z",
"published": "2026-05-28T21:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47334"
},
{
"type": "WEB",
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=f0e73aec23d13a9877fba096b1c2fd19f66e5313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-25: Forced Deadlock
The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.