CWE-367
AllowedTime-of-check Time-of-use (TOCTOU) Race Condition
Abstraction: Base · Status: Incomplete
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
1063 vulnerabilities reference this CWE, most recent first.
GHSA-H47V-33FM-J33G
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2025-10-22 00:33Windows Kernel Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30088"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:15:56Z",
"severity": "HIGH"
},
"details": "Windows Kernel Elevation of Privilege Vulnerability",
"id": "GHSA-h47v-33fm-j33g",
"modified": "2025-10-22T00:33:03Z",
"published": "2024-06-11T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30088"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-30088"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H4FJ-PP9J-X2MJ
Vulnerability from github – Published: 2024-05-07 00:30 – Updated: 2024-05-07 00:30A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user accounts from a single invite link intended for only one user. This bypasses the intended security mechanism that restricts invite acceptance to a single user, leading to unauthorized user creation without detection in the invite tab. The issue is due to the lack of validation for concurrent requests in the backend.
{
"affected": [],
"aliases": [
"CVE-2024-2913"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T00:15:08Z",
"severity": "MODERATE"
},
"details": "A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user accounts from a single invite link intended for only one user. This bypasses the intended security mechanism that restricts invite acceptance to a single user, leading to unauthorized user creation without detection in the invite tab. The issue is due to the lack of validation for concurrent requests in the backend.",
"id": "GHSA-h4fj-pp9j-x2mj",
"modified": "2024-05-07T00:30:35Z",
"published": "2024-05-07T00:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2913"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/a3c69faf-cca0-4c10-8739-57e5bef7a95f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H5G4-PG5P-F88V
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-09-20 00:00A Race Condition Enabling Link Following vulnerability in the cron job shipped with texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local users in group mktex to delete arbitrary files on the system This issue affects: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 texlive-filesystem versions prior to 2017.135-9.5.1. SUSE Linux Enterprise Software Development Kit 12-SP4 texlive-filesystem versions prior to 2013.74-16.5.1. SUSE Linux Enterprise Software Development Kit 12-SP5 texlive-filesystem versions prior to 2013.74-16.5.1. openSUSE Leap 15.1 texlive-filesystem versions prior to 2017.135-lp151.8.3.1.
{
"affected": [],
"aliases": [
"CVE-2020-8017"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-02T14:15:00Z",
"severity": "LOW"
},
"details": "A Race Condition Enabling Link Following vulnerability in the cron job shipped with texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local users in group mktex to delete arbitrary files on the system This issue affects: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 texlive-filesystem versions prior to 2017.135-9.5.1. SUSE Linux Enterprise Software Development Kit 12-SP4 texlive-filesystem versions prior to 2013.74-16.5.1. SUSE Linux Enterprise Software Development Kit 12-SP5 texlive-filesystem versions prior to 2013.74-16.5.1. openSUSE Leap 15.1 texlive-filesystem versions prior to 2017.135-lp151.8.3.1.",
"id": "GHSA-h5g4-pg5p-f88v",
"modified": "2022-09-20T00:00:30Z",
"published": "2022-05-24T17:13:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8017"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1158910"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5J4-JJ3M-XGPG
Vulnerability from github – Published: 2026-02-13 00:32 – Updated: 2026-02-13 00:32Intego Log Reporter, a macOS diagnostic utility bundled with Intego security products that collects system and application logs for support analysis, contains a local privilege escalation vulnerability. A root-executed diagnostic script creates and writes files in /tmp without enforcing secure directory handling, introducing a time-of-check to time-of-use (TOCTOU) race condition. A local unprivileged user can exploit a symlink-based race condition to cause arbitrary file writes to privileged system locations, resulting in privilege escalation to root.
{
"affected": [],
"aliases": [
"CVE-2026-26224"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T22:16:07Z",
"severity": "HIGH"
},
"details": "Intego Log Reporter, a macOS diagnostic utility bundled with Intego security products that collects system and application logs for support analysis, contains a local privilege escalation vulnerability. A root-executed diagnostic script creates and writes files in /tmp without enforcing secure directory handling, introducing a time-of-check to time-of-use (TOCTOU) race condition. A local unprivileged user can exploit a symlink-based race condition to cause arbitrary file writes to privileged system locations, resulting in privilege escalation to root.",
"id": "GHSA-h5j4-jj3m-xgpg",
"modified": "2026-02-13T00:32:52Z",
"published": "2026-02-13T00:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26224"
},
{
"type": "WEB",
"url": "https://blog.quarkslab.com/intego_lpe_macos_1.html"
},
{
"type": "WEB",
"url": "https://blog.quarkslab.com/resources/2026-02-10_intego_1/40945709530779-How-to-Use-the-Intego-Log-Reporter.pdf"
},
{
"type": "WEB",
"url": "https://www.intego.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/intego-log-reporter-toctou-local-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H5R6-2GQ4-P8X5
Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-04-04 03:35Avast and AVG Antivirus for Windows were susceptible to a Time-of-check/Time-of-use (TOCTOU) vulnerability in the restore process leading to arbitrary file creation. The issue was fixed with Avast and AVG Antivirus version 22.11
{
"affected": [],
"aliases": [
"CVE-2023-1586"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T19:15:06Z",
"severity": "MODERATE"
},
"details": "Avast and AVG Antivirus for Windows were susceptible to a Time-of-check/Time-of-use (TOCTOU) vulnerability in the restore process leading to arbitrary file creation. The issue was fixed with Avast and AVG Antivirus version 22.11",
"id": "GHSA-h5r6-2gq4-p8x5",
"modified": "2024-04-04T03:35:21Z",
"published": "2023-04-19T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1586"
},
{
"type": "WEB",
"url": "https://support.norton.com/sp/static/external/tools/security-advisories.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-H5XR-3X7R-2W3W
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-23 00:00Possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
{
"affected": [],
"aliases": [
"CVE-2021-35090"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-14T10:15:00Z",
"severity": "HIGH"
},
"details": "Possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile",
"id": "GHSA-h5xr-3x7r-2w3w",
"modified": "2022-06-23T00:00:25Z",
"published": "2022-06-15T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35090"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/may-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6VW-38XQ-3XWX
Vulnerability from github – Published: 2026-03-23 09:30 – Updated: 2026-03-23 15:30The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush.
Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.
{
"affected": [],
"aliases": [
"CVE-2026-23554"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-23T07:16:07Z",
"severity": "HIGH"
},
"details": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions.",
"id": "GHSA-h6vw-38xq-3xwx",
"modified": "2026-03-23T15:30:43Z",
"published": "2026-03-23T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23554"
},
{
"type": "WEB",
"url": "https://xenbits.xenproject.org/xsa/advisory-480.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"
},
{
"type": "WEB",
"url": "http://xenbits.xen.org/xsa/advisory-480.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H7P6-FC49-HC5H
Vulnerability from github – Published: 2025-08-06 09:30 – Updated: 2025-08-06 09:30Memory corruption while submitting blob data to kernel space though IOCTL.
{
"affected": [],
"aliases": [
"CVE-2025-21455"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T08:15:26Z",
"severity": "HIGH"
},
"details": "Memory corruption while submitting blob data to kernel space though IOCTL.",
"id": "GHSA-h7p6-fc49-hc5h",
"modified": "2025-08-06T09:30:35Z",
"published": "2025-08-06T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21455"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H8G9-6GVH-5MRC
Vulnerability from github – Published: 2022-10-06 23:12 – Updated: 2022-10-06 23:12Vulnerability type
Authentication
Workarounds
Refer to the gateway documentation. The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation.
Detail
The gateway only authenticates endpoints detected from DNS SRV records, and it only authenticates the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.
References
Find out more on this vulnerability in the security audit report
For more information
If you have any questions or comments about this advisory: * Contact the etcd security committee
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-06T23:12:38Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Vulnerability type\nAuthentication\n\n### Workarounds\nRefer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. \n\n### Detail\nThe gateway only authenticates endpoints detected from DNS SRV records, and it only authenticates the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)",
"id": "GHSA-h8g9-6gvh-5mrc",
"modified": "2022-10-06T23:12:38Z",
"published": "2022-10-06T23:12:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc"
},
{
"type": "PACKAGE",
"url": "https://github.com/etcd-io/etcd"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "etcd vulnerable to TOCTOU of gateway endpoint authentication"
}
GHSA-HC2G-HVV2-QXV7
Vulnerability from github – Published: 2025-05-14 18:30 – Updated: 2025-05-14 18:30Time-of-check time-of-use race condition in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2025-30663"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-14T18:15:30Z",
"severity": "HIGH"
},
"details": "Time-of-check time-of-use race condition in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access.",
"id": "GHSA-hc2g-hvv2-qxv7",
"modified": "2025-05-14T18:30:51Z",
"published": "2025-05-14T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30663"
},
{
"type": "WEB",
"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25016"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
Mitigation
When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.
Mitigation
Limit the interleaving of operations on files from multiple processes.
Mitigation
If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.
Mitigation
Recheck the resource after the use call to verify that the action was taken appropriately.
Mitigation
Ensure that some environmental locking mechanism can be used to protect resources effectively.
Mitigation
Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.