CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2895 vulnerabilities reference this CWE, most recent first.
GHSA-25H5-VGQ2-336R
Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-21231"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T18:16:23Z",
"severity": "HIGH"
},
"details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows Kernel allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-25h5-vgq2-336r",
"modified": "2026-02-10T18:30:41Z",
"published": "2026-02-10T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21231"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21231"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25RG-6FCP-95MQ
Vulnerability from github – Published: 2022-05-01 06:37 – Updated: 2022-05-01 06:37Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE.
{
"affected": [],
"aliases": [
"CVE-2006-0039"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-05-19T22:02:00Z",
"severity": "MODERATE"
},
"details": "Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE.",
"id": "GHSA-25rg-6fcp-95mq",
"modified": "2022-05-01T06:37:08Z",
"published": "2022-05-01T06:37:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-0039"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26583"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10309"
},
{
"type": "WEB",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=133465"
},
{
"type": "WEB",
"url": "http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.17"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20185"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20671"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20914"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20991"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/21476"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/22292"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/22945"
},
{
"type": "WEB",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2006-249.htm"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2006/dsa-1097"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2006/dsa-1103"
},
{
"type": "WEB",
"url": "http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=2722971cbe831117686039d5c334f2c0f560be13"
},
{
"type": "WEB",
"url": "http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2722971cbe831117686039d5c334f2c0f560be13"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/25697"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2006-0689.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/18113"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-311-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/1893"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/2554"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-25RP-52G6-GV8J
Vulnerability from github – Published: 2026-04-13 06:30 – Updated: 2026-04-13 06:30UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2026-34857"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T05:16:03Z",
"severity": "MODERATE"
},
"details": "UAF vulnerability in the communication module.\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-25rp-52g6-gv8j",
"modified": "2026-04-13T06:30:30Z",
"published": "2026-04-13T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34857"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/4"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinvision/2026/4"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinwearables/2026/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25RW-V6G3-5HGC
Vulnerability from github – Published: 2022-05-01 23:34 – Updated: 2022-05-01 23:34Multiple race conditions in the CPU Performance Counters (cpc) subsystem in the kernel in Sun Solaris 10 allow local users to cause a denial of service (panic) via unspecified vectors related to kcpc_unbind and kcpc_restore.
{
"affected": [],
"aliases": [
"CVE-2008-0933"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-02-25T18:44:00Z",
"severity": "MODERATE"
},
"details": "Multiple race conditions in the CPU Performance Counters (cpc) subsystem in the kernel in Sun Solaris 10 allow local users to cause a denial of service (panic) via unspecified vectors related to kcpc_unbind and kcpc_restore.",
"id": "GHSA-25rw-v6g3-5hgc",
"modified": "2022-05-01T23:34:48Z",
"published": "2022-05-01T23:34:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0933"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5476"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29052"
},
{
"type": "WEB",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-231466-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27941"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1019490"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/0642"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-25VH-J698-43Q9
Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:31In the Linux kernel, the following vulnerability has been resolved:
tty: serial: fsl_lpuart: fix race on RX DMA shutdown
From time to time DMA completion can come in the middle of DMA shutdown:
: : lpuart32_shutdown() lpuart_dma_shutdown() del_timer_sync() lpuart_dma_rx_complete() lpuart_copy_rx_to_tty() mod_timer() lpuart_dma_rx_free()
When the timer fires a bit later, sport->dma_rx_desc is NULL:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 pc : lpuart_copy_rx_to_tty+0xcc/0x5bc lr : lpuart_timer_func+0x1c/0x2c Call trace: lpuart_copy_rx_to_tty lpuart_timer_func call_timer_fn __run_timers.part.0 run_timer_softirq __do_softirq __irq_exit_rcu irq_exit handle_domain_irq gic_handle_irq call_on_irq_stack do_interrupt_handler ...
To fix this fold del_timer_sync() into lpuart_dma_rx_free() after dmaengine_terminate_sync() to make sure timer will not be re-started in lpuart_copy_rx_to_tty() <= lpuart_dma_rx_complete().
{
"affected": [],
"aliases": [
"CVE-2023-53094"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T16:15:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: fsl_lpuart: fix race on RX DMA shutdown\n\nFrom time to time DMA completion can come in the middle of DMA shutdown:\n\n\u003cprocess ctx\u003e:\t\t\t\t\u003cIRQ\u003e:\nlpuart32_shutdown()\n lpuart_dma_shutdown()\n del_timer_sync()\n\t\t\t\t\tlpuart_dma_rx_complete()\n\t\t\t\t\t lpuart_copy_rx_to_tty()\n\t\t\t\t\t mod_timer()\n lpuart_dma_rx_free()\n\nWhen the timer fires a bit later, sport-\u003edma_rx_desc is NULL:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000004\npc : lpuart_copy_rx_to_tty+0xcc/0x5bc\nlr : lpuart_timer_func+0x1c/0x2c\nCall trace:\n lpuart_copy_rx_to_tty\n lpuart_timer_func\n call_timer_fn\n __run_timers.part.0\n run_timer_softirq\n __do_softirq\n __irq_exit_rcu\n irq_exit\n handle_domain_irq\n gic_handle_irq\n call_on_irq_stack\n do_interrupt_handler\n ...\n\nTo fix this fold del_timer_sync() into lpuart_dma_rx_free() after\ndmaengine_terminate_sync() to make sure timer will not be re-started in\nlpuart_copy_rx_to_tty() \u003c= lpuart_dma_rx_complete().",
"id": "GHSA-25vh-j698-43q9",
"modified": "2025-11-12T21:31:01Z",
"published": "2025-05-02T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53094"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19a98d56dfedafb25652bdb9cd48a4e73ceba702"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1be6f2b15f902c02e055ae0b419ca789200473c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a36b444cace9580380467fd1183bb5e85bcc80a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90530e7214c8a04dcdde57502d93fa96af288c38"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/954fc9931f0aabf272b5674cf468affdd88d3a36"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25WV-8PHJ-8P7R
Vulnerability from github – Published: 2026-04-09 17:35 – Updated: 2026-05-06 02:41Impact
Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths.
Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<=2026.4.2 - Patched versions:
2026.4.4
Fix
The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Verification
The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.
Credits
Thanks @Telecaster2147 for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41913"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T17:35:57Z",
"nvd_published_at": "2026-04-28T19:37:45Z",
"severity": "LOW"
},
"details": "## Impact\n\nConcurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths.\n\nConcurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c=2026.4.2`\n- Patched versions: `2026.4.4`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @Telecaster2147 for reporting.",
"id": "GHSA-25wv-8phj-8p7r",
"modified": "2026-05-06T02:41:14Z",
"published": "2026-04-09T17:35:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41913"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-rate-limit-bypass-via-concurrent-async-authentication-attempts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths"
}
GHSA-2626-FG73-6XGQ
Vulnerability from github – Published: 2022-05-14 01:24 – Updated: 2025-04-20 03:47An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic that leverages a race condition.
{
"affected": [],
"aliases": [
"CVE-2017-7115"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-23T01:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. The issue involves the \"Wi-Fi\" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic that leverages a race condition.",
"id": "GHSA-2626-fg73-6xgq",
"modified": "2025-04-20T03:47:28Z",
"published": "2022-05-14T01:24:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7115"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1317"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208112"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208113"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/42996"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100924"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039385"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-268V-P5RC-RHMV
Vulnerability from github – Published: 2025-02-13 15:31 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
net: avoid race between device unregistration and ethnl ops
The following trace can be seen if a device is being unregistered while its number of channels are being modified.
DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea.
Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough.
Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.
{
"affected": [],
"aliases": [
"CVE-2025-21701"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-13T15:15:20Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid race between device unregistration and ethnl ops\n\nThe following trace can be seen if a device is being unregistered while\nits number of channels are being modified.\n\n DEBUG_LOCKS_WARN_ON(lock-\u003emagic != lock)\n WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120\n CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771\n RIP: 0010:__mutex_lock+0xc8a/0x1120\n Call Trace:\n \u003cTASK\u003e\n ethtool_check_max_channel+0x1ea/0x880\n ethnl_set_channels+0x3c3/0xb10\n ethnl_default_set_doit+0x306/0x650\n genl_family_rcv_msg_doit+0x1e3/0x2c0\n genl_rcv_msg+0x432/0x6f0\n netlink_rcv_skb+0x13d/0x3b0\n genl_rcv+0x28/0x40\n netlink_unicast+0x42e/0x720\n netlink_sendmsg+0x765/0xc20\n __sys_sendto+0x3ac/0x420\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x95/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because unregister_netdevice_many_notify might run before the\nrtnl lock section of ethnl operations, eg. set_channels in the above\nexample. In this example the rss lock would be destroyed by the device\nunregistration path before being used again, but in general running\nethnl operations while dismantle has started is not a good idea.\n\nFix this by denying any operation on devices being unregistered. A check\nwas already there in ethnl_ops_begin, but not wide enough.\n\nNote that the same issue cannot be seen on the ioctl version\n(__dev_ethtool) because the device reference is retrieved from within\nthe rtnl lock section there. Once dismantle started, the net device is\nunlisted and no reference will be found.",
"id": "GHSA-268v-p5rc-rhmv",
"modified": "2026-05-12T15:30:46Z",
"published": "2025-02-13T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21701"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-26CH-X2J2-W6VX
Vulnerability from github – Published: 2022-05-17 01:45 – Updated: 2022-05-17 01:45The user_change_icon_file_authorized_cb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition.
{
"affected": [],
"aliases": [
"CVE-2012-2737"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-07-22T17:55:00Z",
"severity": "LOW"
},
"details": "The user_change_icon_file_authorized_cb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition.",
"id": "GHSA-26ch-x2j2-w6vx",
"modified": "2022-05-17T01:45:20Z",
"published": "2022-05-17T01:45:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2737"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=832532"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76648"
},
{
"type": "WEB",
"url": "https://hermes.opensuse.org/messages/15100967"
},
{
"type": "WEB",
"url": "http://cgit.freedesktop.org/accountsservice/commit/?id=26213aa0e0d8dca5f36cc23f6942525224cbe9f5"
},
{
"type": "WEB",
"url": "http://cgit.freedesktop.org/accountsservice/commit/?id=27f3d93a82fde4f6c7ab54f3f008af04f93f9c69"
},
{
"type": "WEB",
"url": "http://cgit.freedesktop.org/accountsservice/commit/?id=4c5b12e363410e490e776e4b4a86dcce157a543d"
},
{
"type": "WEB",
"url": "http://cgit.freedesktop.org/accountsservice/commit/?id=bd51aa4cdac380f55d607f4ffdf2ab3c00d08721"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083359.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/83398"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/49695"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/49759"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/06/28/9"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/54223"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1485-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-26G9-QM28-697J
Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2021-12-09 00:01There is a Race Condition vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to motionhub crash.
{
"affected": [],
"aliases": [
"CVE-2021-37082"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T17:15:00Z",
"severity": "MODERATE"
},
"details": "There is a Race Condition vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to motionhub crash.",
"id": "GHSA-26g9-qm28-697j",
"modified": "2021-12-09T00:01:29Z",
"published": "2021-12-08T00:01:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37082"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.