Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2909 vulnerabilities reference this CWE, most recent first.

GHSA-MW62-59H3-FXWP

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2022-05-24 16:55
VLAI
Details

In the Android kernel in the FingerTipS touchscreen driver there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-06T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Android kernel in the FingerTipS touchscreen driver there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-mw62-59h3-fxwp",
  "modified": "2022-05-24T16:55:37Z",
  "published": "2022-05-24T16:55:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9450"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2019-09-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MW8G-4MVM-GJ4F

Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-04-10 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: fix kernel BUG when userfaultfd_move encounters swapcache

userfaultfd_move() checks whether the PTE entry is present or a swap entry.

  • If the PTE entry is present, move_present_pte() handles folio migration by setting:

src_folio->index = linear_page_index(dst_vma, dst_addr);

  • If the PTE entry is a swap entry, move_swap_pte() simply copies the PTE to the new dst_addr.

This approach is incorrect because, even if the PTE is a swap entry, it can still reference a folio that remains in the swap cache.

This creates a race window between steps 2 and 4. 1. add_to_swap: The folio is added to the swapcache. 2. try_to_unmap: PTEs are converted to swap entries. 3. pageout: The folio is written back. 4. Swapcache is cleared. If userfaultfd_move() occurs in the window between steps 2 and 4, after the swap PTE has been moved to the destination, accessing the destination triggers do_swap_page(), which may locate the folio in the swapcache. However, since the folio's index has not been updated to match the destination VMA, do_swap_page() will detect a mismatch.

This can result in two critical issues depending on the system configuration.

If KSM is disabled, both small and large folios can trigger a BUG during the add_rmap operation due to:

page_pgoff(folio, page) != linear_page_index(vma, address)

[ 13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c [ 13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0 [ 13.337716] memcg:ffff00000405f000 [ 13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff) [ 13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361 [ 13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000 [ 13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361 [ 13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000 [ 13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001 [ 13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address)) [ 13.340190] ------------[ cut here ]------------ [ 13.340316] kernel BUG at mm/rmap.c:1380! [ 13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 13.340969] Modules linked in: [ 13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299 [ 13.341470] Hardware name: linux,dummy-virt (DT) [ 13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 13.341815] pc : __page_check_anon_rmap+0xa0/0xb0 [ 13.341920] lr : __page_check_anon_rmap+0xa0/0xb0 [ 13.342018] sp : ffff80008752bb20 [ 13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001 [ 13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001 [ 13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00 [ 13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff [ 13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f [ 13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0 [ 13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40 [ 13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8 [ 13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000 [ 13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f [ 13.343876] Call trace: [ 13.344045] __page_check_anon_rmap+0xa0/0xb0 (P) [ 13.344234] folio_add_anon_rmap_ptes+0x22c/0x320 [ 13.344333] do_swap_page+0x1060/0x1400 [ 13.344417] __handl ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix kernel BUG when userfaultfd_move encounters swapcache\n\nuserfaultfd_move() checks whether the PTE entry is present or a\nswap entry.\n\n- If the PTE entry is present, move_present_pte() handles folio\n  migration by setting:\n\n  src_folio-\u003eindex = linear_page_index(dst_vma, dst_addr);\n\n- If the PTE entry is a swap entry, move_swap_pte() simply copies\n  the PTE to the new dst_addr.\n\nThis approach is incorrect because, even if the PTE is a swap entry,\nit can still reference a folio that remains in the swap cache.\n\nThis creates a race window between steps 2 and 4.\n 1. add_to_swap: The folio is added to the swapcache.\n 2. try_to_unmap: PTEs are converted to swap entries.\n 3. pageout: The folio is written back.\n 4. Swapcache is cleared.\nIf userfaultfd_move() occurs in the window between steps 2 and 4,\nafter the swap PTE has been moved to the destination, accessing the\ndestination triggers do_swap_page(), which may locate the folio in\nthe swapcache. However, since the folio\u0027s index has not been updated\nto match the destination VMA, do_swap_page() will detect a mismatch.\n\nThis can result in two critical issues depending on the system\nconfiguration.\n\nIf KSM is disabled, both small and large folios can trigger a BUG\nduring the add_rmap operation due to:\n\n page_pgoff(folio, page) != linear_page_index(vma, address)\n\n[   13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c\n[   13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0\n[   13.337716] memcg:ffff00000405f000\n[   13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff)\n[   13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[   13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[   13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[   13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[   13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001\n[   13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000\n[   13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address))\n[   13.340190] ------------[ cut here ]------------\n[   13.340316] kernel BUG at mm/rmap.c:1380!\n[   13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[   13.340969] Modules linked in:\n[   13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299\n[   13.341470] Hardware name: linux,dummy-virt (DT)\n[   13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   13.341815] pc : __page_check_anon_rmap+0xa0/0xb0\n[   13.341920] lr : __page_check_anon_rmap+0xa0/0xb0\n[   13.342018] sp : ffff80008752bb20\n[   13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001\n[   13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001\n[   13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00\n[   13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff\n[   13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f\n[   13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0\n[   13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40\n[   13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8\n[   13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000\n[   13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f\n[   13.343876] Call trace:\n[   13.344045]  __page_check_anon_rmap+0xa0/0xb0 (P)\n[   13.344234]  folio_add_anon_rmap_ptes+0x22c/0x320\n[   13.344333]  do_swap_page+0x1060/0x1400\n[   13.344417]  __handl\n---truncated---",
  "id": "GHSA-mw8g-4mvm-gj4f",
  "modified": "2025-04-10T15:31:45Z",
  "published": "2025-04-01T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21984"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e9507246298fd6f1ca7bb42ef01a6e34fb93684"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b1e11bd86c0943bb7624efebdc384340a50ad683"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c50f8e6053b0503375c2975bf47f182445aebb4c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MW9G-HWPR-H3RV

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10
VLAI
Details

init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-05T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used.",
  "id": "GHSA-mw9g-hwpr-h3rv",
  "modified": "2022-05-24T17:10:17Z",
  "published": "2022-05-24T17:10:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1165802"
    },
    {
      "type": "WEB",
      "url": "https://github.com/teejee2008/timeshift/releases/tag/v20.03"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAOFXT64CEUMJE3723JDJWTEQWQUCYMD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SXDEPC52G46U6I7GLQNFLZXVSM7V2HYY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXXYQFSZ5P6ZMNFIDBAQKBFZIR2T7ZLL"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4312-1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/03/06/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MWGW-4C23-7465

Vulnerability from github – Published: 2026-02-14 15:32 – Updated: 2026-03-18 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

serial: Fix not set tty->port race condition

Revert commit bfc467db60b7 ("serial: remove redundant tty_port_link_device()") because the tty_port_link_device() is not redundant: the tty->port has to be confured before we call uart_configure_port(), otherwise user-space can open console without TTY linked to the driver.

This tty_port_link_device() was added explicitly to avoid this exact issue in commit fb2b90014d78 ("tty: link tty and port before configuring it as console"), so offending commit basically reverted the fix saying it is redundant without addressing the actual race condition presented there.

Reproducible always as tty->port warning on Qualcomm SoC with most of devices disabled, so with very fast boot, and one serial device being the console:

printk: legacy console [ttyMSM0] enabled printk: legacy console [ttyMSM0] enabled printk: legacy bootconsole [qcom_geni0] disabled printk: legacy bootconsole [qcom_geni0] disabled ------------[ cut here ]------------ tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver! WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1 Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6 CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT Tainted: [S]=CPU_OUT_OF_SPEC Hardware name: Qualcomm Technologies, Inc. Eliza (DT) ... tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P) tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3)) chrdev_open (fs/char_dev.c:411) do_dentry_open (fs/open.c:962) vfs_open (fs/open.c:1094) do_open (fs/namei.c:4634) path_openat (fs/namei.c:4793) do_filp_open (fs/namei.c:4820) do_sys_openat2 (fs/open.c:1391 (discriminator 3)) ... Starting Network Name Resolution...

Apparently the flow with this small Yocto-based ramdisk user-space is:

driver (qcom_geni_serial.c): user-space: ============================ =========== qcom_geni_serial_probe() uart_add_one_port() serial_core_register_port() serial_core_add_one_port() uart_configure_port() register_console() | | open console | ... | tty_init_dev() | driver->ports[idx] is NULL | tty_port_register_device_attr_serdev() tty_port_link_device() <- set driver->ports[idx]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T15:16:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix not set tty-\u003eport race condition\n\nRevert commit bfc467db60b7 (\"serial: remove redundant\ntty_port_link_device()\") because the tty_port_link_device() is not\nredundant: the tty-\u003eport has to be confured before we call\nuart_configure_port(), otherwise user-space can open console without TTY\nlinked to the driver.\n\nThis tty_port_link_device() was added explicitly to avoid this exact\nissue in commit fb2b90014d78 (\"tty: link tty and port before configuring\nit as console\"), so offending commit basically reverted the fix saying\nit is redundant without addressing the actual race condition presented\nthere.\n\nReproducible always as tty-\u003eport warning on Qualcomm SoC with most of\ndevices disabled, so with very fast boot, and one serial device being\nthe console:\n\n  printk: legacy console [ttyMSM0] enabled\n  printk: legacy console [ttyMSM0] enabled\n  printk: legacy bootconsole [qcom_geni0] disabled\n  printk: legacy bootconsole [qcom_geni0] disabled\n  ------------[ cut here ]------------\n  tty_init_dev: ttyMSM driver does not set tty-\u003eport. This would crash the kernel. Fix the driver!\n  WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\n  Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\n  CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S                  6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\n  Tainted: [S]=CPU_OUT_OF_SPEC\n  Hardware name: Qualcomm Technologies, Inc. Eliza (DT)\n  ...\n  tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)\n  tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))\n  chrdev_open (fs/char_dev.c:411)\n  do_dentry_open (fs/open.c:962)\n  vfs_open (fs/open.c:1094)\n  do_open (fs/namei.c:4634)\n  path_openat (fs/namei.c:4793)\n  do_filp_open (fs/namei.c:4820)\n  do_sys_openat2 (fs/open.c:1391 (discriminator 3))\n  ...\n  Starting Network Name Resolution...\n\nApparently the flow with this small Yocto-based ramdisk user-space is:\n\ndriver (qcom_geni_serial.c):                  user-space:\n============================                  ===========\nqcom_geni_serial_probe()\n uart_add_one_port()\n  serial_core_register_port()\n   serial_core_add_one_port()\n    uart_configure_port()\n     register_console()\n    |\n    |                                         open console\n    |                                          ...\n    |                                          tty_init_dev()\n    |                                           driver-\u003eports[idx] is NULL\n    |\n    tty_port_register_device_attr_serdev()\n     tty_port_link_device() \u003c- set driver-\u003eports[idx]",
  "id": "GHSA-mwgw-4c23-7465",
  "modified": "2026-03-18T15:30:40Z",
  "published": "2026-02-14T15:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23115"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2501c49306238b54a2de0f93de43d50ab6e76c84"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32f37e57583f869140cff445feedeea8a5fea986"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MX54-78G5-6R6J

Vulnerability from github – Published: 2023-04-06 18:30 – Updated: 2023-04-12 21:30
VLAI
Details

In vdec, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07671069; Issue ID: ALPS07671069.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In vdec, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07671069; Issue ID: ALPS07671069.",
  "id": "GHSA-mx54-78g5-6r6j",
  "modified": "2023-04-12T21:30:20Z",
  "published": "2023-04-06T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20684"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/April-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MX6Q-9P52-PGFG

Vulnerability from github – Published: 2022-05-17 05:24 – Updated: 2024-03-21 03:33
VLAI
Details

** DISPUTED ** Race condition in G DATA TotalCare 2010 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-5162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-08-25T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "** DISPUTED ** Race condition in G DATA TotalCare 2010 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack.  NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute.",
  "id": "GHSA-mx6q-9p52-pgfg",
  "modified": "2024-03-21T03:33:10Z",
  "published": "2022-05-17T05:24:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5162"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2010-05/0026.html"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0066.html"
    },
    {
      "type": "WEB",
      "url": "http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk"
    },
    {
      "type": "WEB",
      "url": "http://matousec.com/info/advisories/khobe-8.0-earthquake-for-windows-desktop-security-software.php"
    },
    {
      "type": "WEB",
      "url": "http://matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php"
    },
    {
      "type": "WEB",
      "url": "http://www.f-secure.com/weblog/archives/00001949.html"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/67660"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/39924"
    },
    {
      "type": "WEB",
      "url": "http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MX89-JX34-X3W8

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15
VLAI
Details

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-1264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-02-13T12:04:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.",
  "id": "GHSA-mx89-jx34-x3w8",
  "modified": "2022-05-13T01:15:45Z",
  "published": "2022-05-13T01:15:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1264"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-016"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16379"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA13-043B.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MX9W-93G3-J7GR

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15
VLAI
Details

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-1250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-02-13T12:04:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.",
  "id": "GHSA-mx9w-93g3-j7gr",
  "modified": "2022-05-13T01:15:44Z",
  "published": "2022-05-13T01:15:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1250"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-016"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16142"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA13-043B.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MXFW-G2RW-X783

Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-13 21:30
VLAI
Details

Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T22:16:30Z",
    "severity": "CRITICAL"
  },
  "details": "Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-mxfw-g2rw-x783",
  "modified": "2026-04-13T21:30:39Z",
  "published": "2026-04-09T00:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5902"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/483109205"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXFW-GGFQ-H96H

Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2022-05-17 02:45
VLAI
Details

In F5 BIG-IP 12.1.0 through 12.1.2, permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are changed and the time of the user's next request. This is a race condition that occurs rarely in normal usage; the typical period in which this is possible is limited to at most a few seconds after the permission change.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-09T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "In F5 BIG-IP 12.1.0 through 12.1.2, permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are changed and the time of the user\u0027s next request. This is a race condition that occurs rarely in normal usage; the typical period in which this is possible is limited to at most a few seconds after the permission change.",
  "id": "GHSA-mxfw-ggfq-h96h",
  "modified": "2022-05-17T02:45:41Z",
  "published": "2022-05-17T02:45:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9256"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K47284724"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96464"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.