Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2907 vulnerabilities reference this CWE, most recent first.

GHSA-Q2GV-W495-JMXW

Vulnerability from github – Published: 2022-05-17 03:31 – Updated: 2022-05-17 03:31
VLAI
Details

Multiple race conditions in dom/media/systemservices/CamerasChild.cpp in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1975"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-03-13T18:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple race conditions in dom/media/systemservices/CamerasChild.cpp in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.",
  "id": "GHSA-q2gv-w495-jmxw",
  "modified": "2022-05-17T03:31:20Z",
  "published": "2022-05-17T03:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1975"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1230768"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201605-06"
    },
    {
      "type": "WEB",
      "url": "http://hg.mozilla.org/releases/mozilla-release/rev/bafc86c12e63"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html"
    },
    {
      "type": "WEB",
      "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-32.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/84220"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1035215"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2VP-HGH9-QP96

Vulnerability from github – Published: 2023-01-21 03:30 – Updated: 2023-01-30 18:30
VLAI
Details

A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request. A handler thread can use an overwritten context->FileName.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-21T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request. A handler thread can use an overwritten context-\u003eFileName.",
  "id": "GHSA-q2vp-hgh9-qp96",
  "modified": "2023-01-30T18:30:29Z",
  "published": "2023-01-21T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24042"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hfiref0x/LightFTP/issues/25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q32W-2QJP-8M8Q

Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-20 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tracing/synthetic: Fix races on freeing last_cmd

Currently, the "last_cmd" variable can be accessed by multiple processes asynchronously when multiple users manipulate synthetic_events node at the same time, it could lead to use-after-free or double-free.

This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed asynchronously.

================================================================

It's easy to reproduce in the KASAN environment by running the two scripts below in different shells.

script 1: while : do echo -n -e '\x88' > /sys/kernel/tracing/synthetic_events done

script 2: while : do echo -n -e '\xb0' > /sys/kernel/tracing/synthetic_events done

================================================================ double-free scenario:

process A                       process B

------------------- --------------- 1.kstrdup last_cmd 2.free last_cmd 3.free last_cmd(double-free)

================================================================ use-after-free scenario:

process A                       process B

------------------- --------------- 1.kstrdup last_cmd 2.free last_cmd 3.tracing_log_err(use-after-free)

================================================================

Appendix 1. KASAN report double-free:

BUG: KASAN: double-free in kfree+0xdc/0x1d4 Free of addr * by task sh/4879 Call trace: ... kfree+0xdc/0x1d4 create_or_delete_synth_event+0x60/0x1e8 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...

Allocated by task 4879: ... kstrdup+0x5c/0x98 create_or_delete_synth_event+0x6c/0x1e8 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...

Freed by task 5464: ... kfree+0xdc/0x1d4 create_or_delete_synth_event+0x60/0x1e8 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...

================================================================ Appendix 2. KASAN report use-after-free:

BUG: KASAN: use-after-free in strlen+0x5c/0x7c Read of size 1 at addr * by task sh/5483 sh: CPU: 7 PID: 5483 Comm: sh ... __asan_report_load1_noabort+0x34/0x44 strlen+0x5c/0x7c tracing_log_err+0x60/0x444 create_or_delete_synth_event+0xc4/0x204 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...

Allocated by task 5483: ... kstrdup+0x5c/0x98 create_or_delete_synth_event+0x80/0x204 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...

Freed by task 5480: ... kfree+0xdc/0x1d4 create_or_delete_synth_event+0x74/0x204 trace_parse_run_command+0x2bc/0x4b8 synth_events_write+0x20/0x30 vfs_write+0x200/0x830 ...

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:50Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/synthetic: Fix races on freeing last_cmd\n\nCurrently, the \"last_cmd\" variable can be accessed by multiple processes\nasynchronously when multiple users manipulate synthetic_events node\nat the same time, it could lead to use-after-free or double-free.\n\nThis patch add \"lastcmd_mutex\" to prevent \"last_cmd\" from being accessed\nasynchronously.\n\n================================================================\n\nIt\u0027s easy to reproduce in the KASAN environment by running the two\nscripts below in different shells.\n\nscript 1:\n        while :\n        do\n                echo -n -e \u0027\\x88\u0027 \u003e /sys/kernel/tracing/synthetic_events\n        done\n\nscript 2:\n        while :\n        do\n                echo -n -e \u0027\\xb0\u0027 \u003e /sys/kernel/tracing/synthetic_events\n        done\n\n================================================================\ndouble-free scenario:\n\n    process A                       process B\n-------------------               ---------------\n1.kstrdup last_cmd\n                                  2.free last_cmd\n3.free last_cmd(double-free)\n\n================================================================\nuse-after-free scenario:\n\n    process A                       process B\n-------------------               ---------------\n1.kstrdup last_cmd\n                                  2.free last_cmd\n3.tracing_log_err(use-after-free)\n\n================================================================\n\nAppendix 1. KASAN report double-free:\n\nBUG: KASAN: double-free in kfree+0xdc/0x1d4\nFree of addr ***** by task sh/4879\nCall trace:\n        ...\n        kfree+0xdc/0x1d4\n        create_or_delete_synth_event+0x60/0x1e8\n        trace_parse_run_command+0x2bc/0x4b8\n        synth_events_write+0x20/0x30\n        vfs_write+0x200/0x830\n        ...\n\nAllocated by task 4879:\n        ...\n        kstrdup+0x5c/0x98\n        create_or_delete_synth_event+0x6c/0x1e8\n        trace_parse_run_command+0x2bc/0x4b8\n        synth_events_write+0x20/0x30\n        vfs_write+0x200/0x830\n        ...\n\nFreed by task 5464:\n        ...\n        kfree+0xdc/0x1d4\n        create_or_delete_synth_event+0x60/0x1e8\n        trace_parse_run_command+0x2bc/0x4b8\n        synth_events_write+0x20/0x30\n        vfs_write+0x200/0x830\n        ...\n\n================================================================\nAppendix 2. KASAN report use-after-free:\n\nBUG: KASAN: use-after-free in strlen+0x5c/0x7c\nRead of size 1 at addr ***** by task sh/5483\nsh: CPU: 7 PID: 5483 Comm: sh\n        ...\n        __asan_report_load1_noabort+0x34/0x44\n        strlen+0x5c/0x7c\n        tracing_log_err+0x60/0x444\n        create_or_delete_synth_event+0xc4/0x204\n        trace_parse_run_command+0x2bc/0x4b8\n        synth_events_write+0x20/0x30\n        vfs_write+0x200/0x830\n        ...\n\nAllocated by task 5483:\n        ...\n        kstrdup+0x5c/0x98\n        create_or_delete_synth_event+0x80/0x204\n        trace_parse_run_command+0x2bc/0x4b8\n        synth_events_write+0x20/0x30\n        vfs_write+0x200/0x830\n        ...\n\nFreed by task 5480:\n        ...\n        kfree+0xdc/0x1d4\n        create_or_delete_synth_event+0x74/0x204\n        trace_parse_run_command+0x2bc/0x4b8\n        synth_events_write+0x20/0x30\n        vfs_write+0x200/0x830\n        ...",
  "id": "GHSA-q32w-2qjp-8m8q",
  "modified": "2026-01-20T18:31:52Z",
  "published": "2025-10-01T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53478"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ccf11c4e8a8e051499d53a12f502196c97a758e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8826d9e7bd51e7656f78baa4472e8e2f5e7069f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9fe183f659a2704255e5d84f6ae308c234a113ec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q35M-CWFX-J6JX

Vulnerability from github – Published: 2025-12-16 15:30 – Updated: 2026-02-26 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

timers: Fix NULL function pointer race in timer_shutdown_sync()

There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers().

The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this:

CPU0 CPU1 lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base()

The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers().

Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T14:15:54Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers: Fix NULL function pointer race in timer_shutdown_sync()\n\nThere is a race condition between timer_shutdown_sync() and timer\nexpiration that can lead to hitting a WARN_ON in expire_timers().\n\nThe issue occurs when timer_shutdown_sync() clears the timer function\nto NULL while the timer is still running on another CPU. The race\nscenario looks like this:\n\nCPU0\t\t\t\t\tCPU1\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tbase-\u003erunning_timer = timer;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t[call_timer_fn enter]\n\t\t\t\t\tmod_timer()\n\t\t\t\t\t...\ntimer_shutdown_sync()\nlock_timer_base()\n// For now, will not detach the timer but only clear its function to NULL\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\t\t\t\t\t[call_timer_fn exit]\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\tbase-\u003erunning_timer = NULL;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t...\n\t\t\t\t\t// Now timer is pending while its function set to NULL.\n\t\t\t\t\t// next timer trigger\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tWARN_ON_ONCE(!fn) // hit\n\t\t\t\t\t...\nlock_timer_base()\n// Now timer will detach\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\nThe problem is that timer_shutdown_sync() clears the timer function\nregardless of whether the timer is currently running. This can leave a\npending timer with a NULL function pointer, which triggers the\nWARN_ON_ONCE(!fn) check in expire_timers().\n\nFix this by only clearing the timer function when actually detaching the\ntimer. If the timer is running, leave the function pointer intact, which is\nsafe because the timer will be properly detached when it finishes running.",
  "id": "GHSA-q35m-cwfx-j6jx",
  "modified": "2026-02-26T18:31:34Z",
  "published": "2025-12-16T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68214"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba43ac025c4318241f8edf94f31d2eebab86991b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3F9-G8Q7-FRJ2

Vulnerability from github – Published: 2022-05-14 03:10 – Updated: 2022-05-14 03:10
VLAI
Details

Due to a race condition in the QTEECOM driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, when more than one HLOS client loads the same TA, a Use After Free condition can occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-12T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Due to a race condition in the QTEECOM driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, when more than one HLOS client loads the same TA, a Use After Free condition can occur.",
  "id": "GHSA-q3f9-g8q7-frj2",
  "modified": "2022-05-14T03:10:26Z",
  "published": "2022-05-14T03:10:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5849"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-05-01"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3FF-M98V-RJ6M

Vulnerability from github – Published: 2022-05-01 18:44 – Updated: 2022-05-01 18:44
VLAI
Details

Race condition in fileserver in OpenAFS 1.3.50 through 1.4.5 and 1.5.0 through 1.5.27 allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-6599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-01-04T02:46:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in fileserver in OpenAFS 1.3.50 through 1.4.5 and 1.5.0 through 1.5.27 allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock.",
  "id": "GHSA-q3ff-m98v-rj6m",
  "modified": "2022-05-01T18:44:34Z",
  "published": "2022-05-01T18:44:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6599"
    },
    {
      "type": "WEB",
      "url": "http://lists.openafs.org/pipermail/openafs-announce/2007/000220.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/28327"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/28401"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/28433"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/28636"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200801-04.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2008/dsa-1458"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:207"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/linux/security/advisories/suse_security_summary_report.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openafs.org/security/OPENAFS-SA-2007-003.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/27132"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0046"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q3FR-W6RP-RJ7G

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Use after free in Windows NTFS allows an unauthorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:46Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows NTFS allows an unauthorized attacker to elevate privileges locally.",
  "id": "GHSA-q3fr-w6rp-rj7g",
  "modified": "2025-10-14T18:30:30Z",
  "published": "2025-10-14T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55335"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55335"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3G2-22XW-GVF8

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32
VLAI
Details

A race condition was addressed with improved state handling. This issue is fixed in macOS Catalina 10.15.5. An application may be able to execute arbitrary code with kernel privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-22T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A race condition was addressed with improved state handling. This issue is fixed in macOS Catalina 10.15.5. An application may be able to execute arbitrary code with kernel privileges.",
  "id": "GHSA-q3g2-22xw-gvf8",
  "modified": "2022-05-24T17:32:03Z",
  "published": "2022-05-24T17:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9796"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT211170"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q3GR-2743-CWM5

Vulnerability from github – Published: 2024-05-22 09:31 – Updated: 2025-09-24 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

userfaultfd: fix a race between writeprotect and exit_mmap()

A race is possible when a process exits, its VMAs are removed by exit_mmap() and at the same time userfaultfd_writeprotect() is called.

The race was detected by KASAN on a development kernel, but it appears to be possible on vanilla kernels as well.

Use mmget_not_zero() to prevent the race as done in other userfaultfd operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T07:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: fix a race between writeprotect and exit_mmap()\n\nA race is possible when a process exits, its VMAs are removed by\nexit_mmap() and at the same time userfaultfd_writeprotect() is called.\n\nThe race was detected by KASAN on a development kernel, but it appears\nto be possible on vanilla kernels as well.\n\nUse mmget_not_zero() to prevent the race as done in other userfaultfd\noperations.",
  "id": "GHSA-q3gr-2743-cwm5",
  "modified": "2025-09-24T15:31:12Z",
  "published": "2024-05-22T09:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47461"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/149958ecd0627a9f1e9c678c25c665400054cd6a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cda4bfffd4f755645577aaa9e96a606657b4525"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb185d5f1ebf900f4ae3bf84cee212e6dd035aca"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3HP-2MFJ-H9CX

Vulnerability from github – Published: 2022-05-17 05:24 – Updated: 2022-05-17 05:24
VLAI
Details

Multiple race conditions in Comodo Internet Security before 5.8.213334.2131 allow local users to bypass the Defense+ feature via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-5118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-08-26T03:17:00Z",
    "severity": "LOW"
  },
  "details": "Multiple race conditions in Comodo Internet Security before 5.8.213334.2131 allow local users to bypass the Defense+ feature via unspecified vectors.",
  "id": "GHSA-q3hp-2mfj-h9cx",
  "modified": "2022-05-17T05:24:48Z",
  "published": "2022-05-17T05:24:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5118"
    },
    {
      "type": "WEB",
      "url": "http://personalfirewall.comodo.com/release_notes.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.