CWE-367
AllowedTime-of-check Time-of-use (TOCTOU) Race Condition
Abstraction: Base · Status: Incomplete
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
1068 vulnerabilities reference this CWE, most recent first.
GHSA-6MM6-M775-CHPM
Vulnerability from github – Published: 2026-05-20 15:35 – Updated: 2026-06-30 03:36Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
{
"affected": [],
"aliases": [
"CVE-2026-5947"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T13:16:40Z",
"severity": "HIGH"
},
"details": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.\nBIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.",
"id": "GHSA-6mm6-m775-chpm",
"modified": "2026-06-30T03:36:45Z",
"published": "2026-05-20T15:35:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5947"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7412"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-5947"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479772"
},
{
"type": "WEB",
"url": "https://downloads.isc.org/isc/bind9/9.20.23"
},
{
"type": "WEB",
"url": "https://downloads.isc.org/isc/bind9/9.21.22"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/cve-2026-5947"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5947.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PJG-WMM6-R8RP
Vulnerability from github – Published: 2026-06-13 03:30 – Updated: 2026-06-30 03:37A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing.
{
"affected": [],
"aliases": [
"CVE-2026-54228"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-13T03:16:21Z",
"severity": "HIGH"
},
"details": "A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service\u0027s SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing.",
"id": "GHSA-6pjg-wmm6-r8rp",
"modified": "2026-06-30T03:37:03Z",
"published": "2026-06-13T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54228"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-54228"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488531"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54228.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6Q2V-VFWP-PVWH
Vulnerability from github – Published: 2026-03-29 15:30 – Updated: 2026-04-06 22:46Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vhwf-4x96-vqx2. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T22:46:34Z",
"nvd_published_at": "2026-03-29T13:17:03Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vhwf-4x96-vqx2. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory.",
"id": "GHSA-6q2v-vfwp-pvwh",
"modified": "2026-04-06T22:46:34Z",
"published": "2026-03-29T15:30:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33574"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw\u0027s skills-install-download can be redirected outside the tools root by rebinding the validated base path",
"withdrawn": "2026-04-06T22:46:34Z"
}
GHSA-6QF9-3C85-X94Q
Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2022-07-23 00:00This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.5.0 (49183). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. By creating a symbolic link, an attacker can abuse the service to execute a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-13932.
{
"affected": [],
"aliases": [
"CVE-2021-34986"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-15T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.5.0 (49183). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. By creating a symbolic link, an attacker can abuse the service to execute a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-13932.",
"id": "GHSA-6qf9-3c85-x94q",
"modified": "2022-07-23T00:00:23Z",
"published": "2022-07-16T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34986"
},
{
"type": "WEB",
"url": "https://kb.parallels.com/en/125013"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-385"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6QFF-8M44-XGJ8
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Time-of-check time-of-use (toctou) race condition in Windows Network File System allows an authorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2026-56648"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:31Z",
"severity": "HIGH"
},
"details": "Time-of-check time-of-use (toctou) race condition in Windows Network File System allows an authorized attacker to elevate privileges over a network.",
"id": "GHSA-6qff-8m44-xgj8",
"modified": "2026-07-14T18:32:38Z",
"published": "2026-07-14T18:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56648"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56648"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6QMF-MMC7-6C2P
Vulnerability from github – Published: 2023-06-14 16:44 – Updated: 2024-06-03 18:29Description
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET 6.0, .NET 7.0 and NuGet(nuget.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement) where a potential race condition that can lead to a symlink attack on Linux. Non-Linux platforms are not affected.
Affected software
This issue only affects Linux systems.
NuGet & NuGet Packages
- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.6.0 version or earlier.
- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.5.0 version or earlier.
- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.4.1 version or earlier.
- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.3.2 version or earlier.
- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.2.3 version or earlier.
- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.0.4 version or earlier.
- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 5.11.4
.NET SDK(s)
- Any .NET SDK 7.0.106 or earlier, or 7.0.303 or earlier
- Any .NET SDK 6.0.117 or earlier, or 6.0.312 or earlier, or 6.0.409 or earlier.
Patches
To fix the issue, please install the latest version of .NET 6.0 or .NET 7.0 and NuGet (NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, NuGet.PackageManagement versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
- If you're using NuGet.exe 6.6.0 or lower, you should download and install 6.6.1 from https://dist.nuget.org/win-x86-commandline/v6.6.1/nuget.exe.
- If you're using NuGet.exe 6.5.0 or lower, you should download and install 6.5.1 from https://dist.nuget.org/win-x86-commandline/v6.5.1/nuget.exe.
- If you're using NuGet.exe 6.4.1 or lower, you should download and install 6.4.2 from https://dist.nuget.org/win-x86-commandline/v6.4.2/nuget.exe.
- If you're using NuGet.exe 6.3.2 or lower, you should download and install 6.3.3 from https://dist.nuget.org/win-x86-commandline/v6.3.3/nuget.exe.
- If you're using NuGet.exe 6.2.3 or lower, you should download and install 6.2.4 from https://dist.nuget.org/win-x86-commandline/v6.2.4/nuget.exe.
- If you're using NuGet.exe 6.0.4 or lower, you should download and install 6.0.5 from https://dist.nuget.org/win-x86-commandline/v6.0.5/nuget.exe.
- If you're using NuGet.exe 5.11.4 or lower, you should download and install 5.11.5 from https://dist.nuget.org/win-x86-commandline/v5.11.5/nuget.exe.
-
If you're using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0.
-
If you're using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0.
- If you're using .NET 6.0, you should download and install Runtime 6.0.18 or SDK 6.0.118 or SDK 6.0.312 from https://dotnet.microsoft.com/download/dotnet-core/6.0.
Other details
Announcement for this issue can be found at https://github.com/NuGet/Announcements/issues/69
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.NuGetSdkResolver"
},
"versions": [
"5.9.0-rc.7122"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.PackageManagement"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.PackageManagement"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.PackageManagement"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.PackageManagement"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.PackageManagement"
},
"ranges": [
{
"events": [
{
"introduced": "6.5.0"
},
{
"fixed": "6.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.5.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.PackageManagement"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0"
},
{
"fixed": "6.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.6.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.NuGetSdkResolver"
},
"versions": [
"5.10.0-rc.7240"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.NuGetSdkResolver"
},
"versions": [
"5.11.0-rc.10"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.5.0"
},
{
"fixed": "6.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.5.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0"
},
{
"fixed": "6.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.6.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.5.0"
},
{
"fixed": "6.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.5.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0"
},
{
"fixed": "6.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.6.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Common"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Common"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Common"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Common"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Common"
},
"ranges": [
{
"events": [
{
"introduced": "6.5.0"
},
{
"fixed": "6.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.5.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Common"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0"
},
{
"fixed": "6.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.6.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.5.0"
},
{
"fixed": "6.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.5.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0"
},
{
"fixed": "6.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.6.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.PackageManagement"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "5.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "5.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "5.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Common"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "5.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "4.7.0"
},
{
"fixed": "5.11.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29337"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-14T16:44:21Z",
"nvd_published_at": "2023-06-14T15:15:09Z",
"severity": "HIGH"
},
"details": "### Description\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA vulnerability exists in .NET 6.0, .NET 7.0 and NuGet(nuget.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement) where a potential race condition that can lead to a symlink attack on Linux. Non-Linux platforms are not affected.\n\n### Affected software\nThis issue only affects Linux systems.\n\n#### NuGet \u0026 NuGet Packages\n\n- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.6.0 version or earlier.\n- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.5.0 version or earlier.\n- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.4.1 version or earlier.\n- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.3.2 version or earlier.\n- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.2.3 version or earlier.\n- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.0.4 version or earlier.\n- Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 5.11.4\n\n#### .NET SDK(s)\n\n- Any .NET SDK 7.0.106 or earlier, or 7.0.303 or earlier\n- Any .NET SDK 6.0.117 or earlier, or 6.0.312 or earlier, or 6.0.409 or earlier.\n\n\n### Patches\nTo fix the issue, please install the latest version of .NET 6.0 or .NET 7.0 and NuGet (NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, NuGet.PackageManagement versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.\n\n- If you\u0027re using NuGet.exe 6.6.0 or lower, you should download and install 6.6.1 from https://dist.nuget.org/win-x86-commandline/v6.6.1/nuget.exe.\n- If you\u0027re using NuGet.exe 6.5.0 or lower, you should download and install 6.5.1 from https://dist.nuget.org/win-x86-commandline/v6.5.1/nuget.exe.\n- If you\u0027re using NuGet.exe 6.4.1 or lower, you should download and install 6.4.2 from https://dist.nuget.org/win-x86-commandline/v6.4.2/nuget.exe.\n- If you\u0027re using NuGet.exe 6.3.2 or lower, you should download and install 6.3.3 from https://dist.nuget.org/win-x86-commandline/v6.3.3/nuget.exe.\n- If you\u0027re using NuGet.exe 6.2.3 or lower, you should download and install 6.2.4 from https://dist.nuget.org/win-x86-commandline/v6.2.4/nuget.exe.\n- If you\u0027re using NuGet.exe 6.0.4 or lower, you should download and install 6.0.5 from https://dist.nuget.org/win-x86-commandline/v6.0.5/nuget.exe.\n- If you\u0027re using NuGet.exe 5.11.4 or lower, you should download and install 5.11.5 from https://dist.nuget.org/win-x86-commandline/v5.11.5/nuget.exe.\n- If you\u0027re using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0.\n\n- If you\u0027re using .NET 7.0, you should download and install Runtime 7.0.7 or SDK 7.0.107 or SDK 7.0.304 from https://dotnet.microsoft.com/download/dotnet-core/7.0.\n- If you\u0027re using .NET 6.0, you should download and install Runtime 6.0.18 or SDK 6.0.118 or SDK 6.0.312 from https://dotnet.microsoft.com/download/dotnet-core/6.0.\n\n\n### Other details\nAnnouncement for this issue can be found at https://github.com/NuGet/Announcements/issues/69\n\nMSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337\n",
"id": "GHSA-6qmf-mmc7-6c2p",
"modified": "2024-06-03T18:29:14Z",
"published": "2023-06-14T16:44:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NuGet/NuGet.Client/security/advisories/GHSA-6qmf-mmc7-6c2p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29337"
},
{
"type": "WEB",
"url": "https://github.com/NuGet/NuGet.Client/commit/7fe6b814c901490292f02d8ea12749505fbb959a"
},
{
"type": "PACKAGE",
"url": "https://github.com/NuGet/NuGet.Client"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "NuGet Client Remote Code Execution Vulnerability"
}
GHSA-6QPH-W3P3-9CV3
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31Time-of-check time-of-use (toctou) race condition in Graphics Kernel allows an authorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-55236"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:16:06Z",
"severity": "HIGH"
},
"details": "Time-of-check time-of-use (toctou) race condition in Graphics Kernel allows an authorized attacker to execute code locally.",
"id": "GHSA-6qph-w3p3-9cv3",
"modified": "2025-09-09T18:31:23Z",
"published": "2025-09-09T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55236"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55236"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6R8G-H8H9-FX3Q
Vulnerability from github – Published: 2023-06-12 21:30 – Updated: 2024-04-04 04:43Potential Time-of-Check to Time-of Use (TOCTOU) vulnerabilities have been identified in the HP BIOS for certain HP PC products which may allow arbitrary code execution, denial of service, and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-27539"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-12T19:15:09Z",
"severity": "HIGH"
},
"details": "Potential Time-of-Check to Time-of Use (TOCTOU) vulnerabilities have been identified in the HP BIOS for certain HP PC products which may allow arbitrary code execution, denial of service, and information disclosure.",
"id": "GHSA-6r8g-h8h9-fx3q",
"modified": "2024-04-04T04:43:51Z",
"published": "2023-06-12T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27539"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_7709808-7709835-16/hpsbhf03835"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6V48-QPG5-FJ4M
Vulnerability from github – Published: 2023-09-13 18:31 – Updated: 2024-01-25 18:30A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system.
This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device.
{
"affected": [],
"aliases": [
"CVE-2023-20135"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-13T17:15:09Z",
"severity": "HIGH"
},
"details": "A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system.\n\n This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device.",
"id": "GHSA-6v48-qpg5-fj4m",
"modified": "2024-01-25T18:30:43Z",
"published": "2023-09-13T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20135"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6W27-C66F-GVHQ
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-28 02:44Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing security mechanisms. Exploitation of this issue requires user interaction.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.7-beta1"
},
{
"fixed": "2.4.7-p4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.6-p1"
},
{
"fixed": "2.4.6-p9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.5-p1"
},
{
"fixed": "2.4.5-p11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4-p12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.7"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.6"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.5"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.4"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.8-beta1"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24430"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-28T02:44:46Z",
"nvd_published_at": "2025-02-11T18:15:45Z",
"severity": "LOW"
},
"details": "Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing security mechanisms. Exploitation of this issue requires user interaction.",
"id": "GHSA-6w27-c66f-gvhq",
"modified": "2025-02-28T02:44:46Z",
"published": "2025-02-11T18:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24430"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability"
}
Mitigation
The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
Mitigation
When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.
Mitigation
Limit the interleaving of operations on files from multiple processes.
Mitigation
If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.
Mitigation
Recheck the resource after the use call to verify that the action was taken appropriately.
Mitigation
Ensure that some environmental locking mechanism can be used to protect resources effectively.
Mitigation
Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.