Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2900 vulnerabilities reference this CWE, most recent first.

GHSA-WVR5-3FWJ-8F26

Vulnerability from github – Published: 2022-05-14 03:00 – Updated: 2025-04-20 03:46
VLAI
Details

Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-10T01:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.",
  "id": "GHSA-wvr5-3fwj-8f26",
  "modified": "2025-04-20T03:46:27Z",
  "published": "2022-05-14T03:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15038"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3575-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4213"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/10/06/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVXR-8P4P-PCPQ

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-03 09:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: fix race conditions in sco_sock_connect()

sco_sock_connect() checks sk_state and sk_type without holding the socket lock. Two concurrent connect() syscalls on the same socket can both pass the check and enter sco_connect(), leading to use-after-free.

The buggy scenario involves three participants and was confirmed with additional logging instrumentation:

Thread A (connect): HCI disconnect: Thread B (connect):

sco_sock_connect(sk) sco_sock_connect(sk) sk_state==BT_OPEN sk_state==BT_OPEN (pass, no lock) (pass, no lock) sco_connect(sk): sco_connect(sk): hci_dev_lock hci_dev_lock hci_connect_sco <- blocked -> hcon1 sco_conn_add->conn1 lock_sock(sk) sco_chan_add: conn1->sk = sk sk->conn = conn1 sk_state=BT_CONNECT release_sock hci_dev_unlock hci_dev_lock sco_conn_del: lock_sock(sk) sco_chan_del: sk->conn=NULL conn1->sk=NULL sk_state= BT_CLOSED SOCK_ZAPPED release_sock hci_dev_unlock (unblocked) hci_connect_sco -> hcon2 sco_conn_add -> conn2 lock_sock(sk) sco_chan_add: sk->conn=conn2 sk_state= BT_CONNECT // zombie sk! release_sock hci_dev_unlock

Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to BT_CONNECT. Subsequent cleanup triggers double sock_put() and use-after-free. Meanwhile conn1 is leaked as it was orphaned when sco_conn_del() cleared the association.

Fix this by: - Moving lock_sock() before the sk_state/sk_type checks in sco_sock_connect() to serialize concurrent connect attempts - Fixing the sk_type != SOCK_SEQPACKET check to actually return the error instead of just assigning it - Adding a state re-check in sco_connect() after lock_sock() to catch state changes during the window between the locks - Adding sco_pi(sk)->conn check in sco_chan_add() to prevent double-attach of a socket to multiple connections - Adding hci_conn_drop() on sco_chan_add failure to prevent HCI connection leaks

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T15:16:46Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n  Thread A (connect):    HCI disconnect:      Thread B (connect):\n\n  sco_sock_connect(sk)                        sco_sock_connect(sk)\n  sk_state==BT_OPEN                           sk_state==BT_OPEN\n  (pass, no lock)                             (pass, no lock)\n  sco_connect(sk):                            sco_connect(sk):\n    hci_dev_lock                                hci_dev_lock\n    hci_connect_sco                               \u003c- blocked\n      -\u003e hcon1\n    sco_conn_add-\u003econn1\n    lock_sock(sk)\n    sco_chan_add:\n      conn1-\u003esk = sk\n      sk-\u003econn = conn1\n    sk_state=BT_CONNECT\n    release_sock\n    hci_dev_unlock\n                           hci_dev_lock\n                           sco_conn_del:\n                             lock_sock(sk)\n                             sco_chan_del:\n                               sk-\u003econn=NULL\n                               conn1-\u003esk=NULL\n                               sk_state=\n                                 BT_CLOSED\n                               SOCK_ZAPPED\n                             release_sock\n                           hci_dev_unlock\n                                                  (unblocked)\n                                                  hci_connect_sco\n                                                    -\u003e hcon2\n                                                  sco_conn_add\n                                                    -\u003e conn2\n                                                  lock_sock(sk)\n                                                  sco_chan_add:\n                                                    sk-\u003econn=conn2\n                                                  sk_state=\n                                                    BT_CONNECT\n                                                  // zombie sk!\n                                                  release_sock\n                                                  hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n  sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n  return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n  to catch state changes during the window between the locks\n- Adding sco_pi(sk)-\u003econn check in sco_chan_add() to prevent\n  double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n  HCI connection leaks",
  "id": "GHSA-wvxr-8p4p-pcpq",
  "modified": "2026-05-03T09:33:10Z",
  "published": "2026-05-01T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43023"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW35-MCVV-W37Q

Vulnerability from github – Published: 2022-05-14 03:48 – Updated: 2022-05-14 03:48
VLAI
Details

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the SPCom kernel driver, a race condition exists when creating a channel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-10T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the SPCom kernel driver, a race condition exists when creating a channel.",
  "id": "GHSA-ww35-mcvv-w37q",
  "modified": "2022-05-14T03:48:30Z",
  "published": "2022-05-14T03:48:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15847"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-01-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWCG-F5F8-7HPJ

Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-10 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ip: Fix data-races around sysctl_ip_prot_sock.

sysctl_ip_prot_sock is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix data-races around sysctl_ip_prot_sock.\n\nsysctl_ip_prot_sock is accessed concurrently, and there is always a chance\nof data-race.  So, all readers and writers need some basic protection to\navoid load/store-tearing.",
  "id": "GHSA-wwcg-f5f8-7hpj",
  "modified": "2025-03-10T21:31:10Z",
  "published": "2025-03-10T21:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49578"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95724fe897a4ecf2be51452ef96e818568071664"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9add240f76af6d141d2eebd3a1558a0e503a993d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b55c20f83369dd54541d9ddbe3a018a8377f451"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef699813d99cc29e6e25c9f6da7766526cc8bd6e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWHX-F3WH-2V8P

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix race condition in hci_cmd_sync_clear

There is a potential race condition in hci_cmd_sync_work and hci_cmd_sync_clear, and could lead to use-after-free. For instance, hci_cmd_sync_work is added to the 'req_workqueue' after cancel_work_sync The entry of 'cmd_sync_work_list' may be freed in hci_cmd_sync_clear, and causing kernel panic when it is used in 'hci_cmd_sync_work'.

Here's the call trace:

dump_stack_lvl+0x49/0x63 print_report.cold+0x5e/0x5d3 ? hci_cmd_sync_work+0x282/0x320 kasan_report+0xaa/0x120 ? hci_cmd_sync_work+0x282/0x320 __asan_report_load8_noabort+0x14/0x20 hci_cmd_sync_work+0x282/0x320 process_one_work+0x77b/0x11c0 ? _raw_spin_lock_irq+0x8e/0xf0 worker_thread+0x544/0x1180 ? poll_idle+0x1e0/0x1e0 kthread+0x285/0x320 ? process_one_work+0x11c0/0x11c0 ? kthread_complete_and_exit+0x30/0x30 ret_from_fork+0x22/0x30

Allocated by task 266: kasan_save_stack+0x26/0x50 __kasan_kmalloc+0xae/0xe0 kmem_cache_alloc_trace+0x191/0x350 hci_cmd_sync_queue+0x97/0x2b0 hci_update_passive_scan+0x176/0x1d0 le_conn_complete_evt+0x1b5/0x1a00 hci_le_conn_complete_evt+0x234/0x340 hci_le_meta_evt+0x231/0x4e0 hci_event_packet+0x4c5/0xf00 hci_rx_work+0x37d/0x880 process_one_work+0x77b/0x11c0 worker_thread+0x544/0x1180 kthread+0x285/0x320 ret_from_fork+0x22/0x30

Freed by task 269: kasan_save_stack+0x26/0x50 kasan_set_track+0x25/0x40 kasan_set_free_info+0x24/0x40 _kasanslab_free+0x176/0x1c0 kasan_slab_free+0x12/0x20 slab_free_freelist_hook+0x95/0x1a0 kfree+0xba/0x2f0 hci_cmd_sync_clear+0x14c/0x210 hci_unregister_dev+0xff/0x440 vhci_release+0x7b/0xf0 __fput+0x1f3/0x970 ____fput+0xe/0x20 task_work_run+0xd4/0x160 do_exit+0x8b0/0x22a0 do_group_exit+0xba/0x2a0 get_signal+0x1e4a/0x25b0 arch_do_signal_or_restart+0x93/0x1f80 exit_to_user_mode_prepare+0xf5/0x1a0 syscall_exit_to_user_mode+0x26/0x50 ret_from_fork+0x15/0x30

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:23Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix race condition in hci_cmd_sync_clear\n\nThere is a potential race condition in hci_cmd_sync_work and\nhci_cmd_sync_clear, and could lead to use-after-free. For instance,\nhci_cmd_sync_work is added to the \u0027req_workqueue\u0027 after cancel_work_sync\nThe entry of \u0027cmd_sync_work_list\u0027 may be freed in hci_cmd_sync_clear, and\ncausing kernel panic when it is used in \u0027hci_cmd_sync_work\u0027.\n\nHere\u0027s the call trace:\n\ndump_stack_lvl+0x49/0x63\nprint_report.cold+0x5e/0x5d3\n? hci_cmd_sync_work+0x282/0x320\nkasan_report+0xaa/0x120\n? hci_cmd_sync_work+0x282/0x320\n__asan_report_load8_noabort+0x14/0x20\nhci_cmd_sync_work+0x282/0x320\nprocess_one_work+0x77b/0x11c0\n? _raw_spin_lock_irq+0x8e/0xf0\nworker_thread+0x544/0x1180\n? poll_idle+0x1e0/0x1e0\nkthread+0x285/0x320\n? process_one_work+0x11c0/0x11c0\n? kthread_complete_and_exit+0x30/0x30\nret_from_fork+0x22/0x30\n\u003c/TASK\u003e\n\nAllocated by task 266:\nkasan_save_stack+0x26/0x50\n__kasan_kmalloc+0xae/0xe0\nkmem_cache_alloc_trace+0x191/0x350\nhci_cmd_sync_queue+0x97/0x2b0\nhci_update_passive_scan+0x176/0x1d0\nle_conn_complete_evt+0x1b5/0x1a00\nhci_le_conn_complete_evt+0x234/0x340\nhci_le_meta_evt+0x231/0x4e0\nhci_event_packet+0x4c5/0xf00\nhci_rx_work+0x37d/0x880\nprocess_one_work+0x77b/0x11c0\nworker_thread+0x544/0x1180\nkthread+0x285/0x320\nret_from_fork+0x22/0x30\n\nFreed by task 269:\nkasan_save_stack+0x26/0x50\nkasan_set_track+0x25/0x40\nkasan_set_free_info+0x24/0x40\n____kasan_slab_free+0x176/0x1c0\n__kasan_slab_free+0x12/0x20\nslab_free_freelist_hook+0x95/0x1a0\nkfree+0xba/0x2f0\nhci_cmd_sync_clear+0x14c/0x210\nhci_unregister_dev+0xff/0x440\nvhci_release+0x7b/0xf0\n__fput+0x1f3/0x970\n____fput+0xe/0x20\ntask_work_run+0xd4/0x160\ndo_exit+0x8b0/0x22a0\ndo_group_exit+0xba/0x2a0\nget_signal+0x1e4a/0x25b0\narch_do_signal_or_restart+0x93/0x1f80\nexit_to_user_mode_prepare+0xf5/0x1a0\nsyscall_exit_to_user_mode+0x26/0x50\nret_from_fork+0x15/0x30",
  "id": "GHSA-wwhx-f3wh-2v8p",
  "modified": "2025-11-12T18:31:04Z",
  "published": "2025-05-02T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53046"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c66bee492a5fe00ae3fe890bb693bfc99f994c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/608901a77c945ac15dea23f6098c9882ef19d9f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be586211a3ab40a4f4ca60450e0d31606afc55ec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWP4-JFVW-R542

Vulnerability from github – Published: 2022-05-02 03:45 – Updated: 2022-05-02 03:45
VLAI
Details

Unrestricted file upload vulnerability in RADactive I-Load before 2008.2.5.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, and then sending a request for a predictable filename during a short time window.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-3447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-09-29T15:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Unrestricted file upload vulnerability in RADactive I-Load before 2008.2.5.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, and then sending a request for a predictable filename during a short time window.",
  "id": "GHSA-wwp4-jfvw-r542",
  "modified": "2022-05-02T03:45:13Z",
  "published": "2022-05-02T03:45:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3447"
    },
    {
      "type": "WEB",
      "url": "https://www.sec-consult.com/files/20090917-0_RADactive_I-Load_Multiple_Vulnerabilities.txt"
    },
    {
      "type": "WEB",
      "url": "http://radnet.radactive.com/forum/Default.aspx?g=posts\u0026t=339"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23807"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/58197"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/506555/100/0/threaded"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WWXQ-357H-JJR5

Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-03 12:00
VLAI
Details

A race condition was addressed with improved state handling. This issue is fixed in macOS Ventura 13. An app may be able to execute arbitrary code with kernel privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-01T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A race condition was addressed with improved state handling. This issue is fixed in macOS Ventura 13. An app may be able to execute arbitrary code with kernel privileges.",
  "id": "GHSA-wwxq-357h-jjr5",
  "modified": "2022-11-03T12:00:31Z",
  "published": "2022-11-02T12:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42791"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213488"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213446"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX2R-54RX-4JV7

Vulnerability from github – Published: 2022-07-13 00:00 – Updated: 2022-07-13 00:00
VLAI
Details

Windows Group Policy Elevation of Privilege Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Windows Group Policy Elevation of Privilege Vulnerability.",
  "id": "GHSA-wx2r-54rx-4jv7",
  "modified": "2022-07-13T00:00:39Z",
  "published": "2022-07-13T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30205"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30205"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30205"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX9F-X53V-PQRR

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-09-03 00:00
VLAI
Details

A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running in parallel on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running in parallel on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.",
  "id": "GHSA-wx9f-x53v-pqrr",
  "modified": "2022-09-03T00:00:23Z",
  "published": "2022-05-24T17:36:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27825"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905155"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210521-0008"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4843"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXCV-623Q-99FJ

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2025-06-09 18:31
VLAI
Details

A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-26T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.",
  "id": "GHSA-wxcv-623q-99fj",
  "modified": "2025-06-09T18:31:57Z",
  "published": "2022-05-13T01:04:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15687"
    },
    {
      "type": "WEB",
      "url": "https://github.com/systemd/systemd/pull/10517/commits"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201810-10"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3816-1"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45715"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105748"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.