{"@ID": "662", "@Name": "Improper Synchronization", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.", "Extended_Description": {"xhtml:p": "Synchronization refers to a variety of behaviors and mechanisms that allow two or more independently-operating processes or threads to ensure that they operate on shared resources in predictable ways that do not interfere with each other.  Some shared resource operations cannot be executed atomically; that is, multiple steps must be guaranteed to execute sequentially, without any interference by other processes.  Synchronization mechanisms vary widely, but they may include locking, mutexes, and semaphores.  When a multi-step operation on a shared resource cannot be guaranteed to execute independent of interference, then the resulting behavior can be unpredictable. Improper synchronization could lead to data or memory corruption, denial of service, etc."}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "664", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "691", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "362", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Integrity", "Confidentiality", "Other"], "Impact": ["Modify Application Data", "Read Application Data", "Alter Execution Logic"]}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Description": "Use industry standard APIs to synchronize your code."}}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-24", "Intro_Text": "The following function attempts to acquire a lock in order to perform operations on a shared resource.", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": "/* access shared resource */", "#text": "pthread_mutex_lock(mutex);\n                           \n                           \n                           \n                           \n                           pthread_mutex_unlock(mutex);"}}, "#text": "void f(pthread_mutex_t *mutex) {}"}}, {"@Nature": "Good", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "return result;"}, "xhtml:i": "/* access shared resource */", "#text": "int result;\n                           result = pthread_mutex_lock(mutex);if (0 != result)\n                           \n                           \n                           \n                           \n                           \n                           return pthread_mutex_unlock(mutex);"}}, "#text": "int f(pthread_mutex_t *mutex) {}"}}], "Body_Text": ["However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.", "In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels."]}, {"@Demonstrative_Example_ID": "DX-170", "Intro_Text": "The following code intends to fork a process, then have both the parent and child processes print a single line.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:i": "/* Make timing window a little larger... */", "#text": "putc(counter, stdout);fflush(stdout);\n                                 \n                                 \n                                 sleep(1);"}}, "#text": "char * word;int counter;for (word = string; counter = *word++; ) {}"}}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "exit(-2);"}, {"@style": "margin-left:1em;", "#text": "print(\"child\\n\");"}, {"@style": "margin-left:1em;", "#text": "print(\"PARENT\\n\");"}], "#text": "pid_t pid;\n                           pid = fork();if (pid == -1) {}else if (pid == 0) {}else {}exit(0);"}}], "xhtml:br": [null, null], "#text": "static void print (char * string) {}\n                     int main(void) {}"}}, "Body_Text": ["One might expect the code to print out something like:", {"xhtml:div": {"xhtml:div": ["PARENT", "child"]}}, "However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as:", {"xhtml:div": {"xhtml:div": ["PcAhRiElNdT", "[blank line]", "[blank line]"]}}]}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2021-1782", "Description": "Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV.", "Link": "https://www.cve.org/CVERecord?id=CVE-2021-1782"}, {"Reference": "CVE-2009-0935", "Description": "Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-0935"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "SIG00-C", "Entry_Name": "Mask signals handled by noninterruptible signal handlers"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "SIG31-C", "Entry_Name": "Do not access shared objects in signal handlers", "Mapping_Fit": "CWE More Abstract"}, {"@Taxonomy_Name": "CLASP", "Entry_Name": "State synchronization error"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "VNA03-J", "Entry_Name": "Do not assume that a group of calls to independently atomic methods is atomic"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP19", "Entry_Name": "Missing Lock"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "25"}, {"@CAPEC_ID": "26"}, {"@CAPEC_ID": "27"}, {"@CAPEC_ID": "29"}]}, "Mapping_Notes": {"Usage": "Discouraged", "Rationale": "This CWE entry is a level-1 Class (i.e., a child of a Pillar). It might have lower-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Notes": {"Note": {"@Type": "Research Gap", "#text": "Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc.  CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Community", "Submission_Date": "2008-04-11", "Submission_Version": "Draft 9", "Submission_ReleaseDate": "2008-04-11", "Submission_Comment": "Submitted by members of the CWE community to extend early CWE versions"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Name, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Description, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-07-17", "Modification_Version": "2.5", "Modification_ReleaseDate": "2013-07-17", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-09-23", "Modification_Version": "3.4.1", "Modification_ReleaseDate": "2019-09-23", "Modification_Comment": "updated Description, Maintenance_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Description, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Description, Detection_Factors, Relationships, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Maintenance_Notes, Research_Gaps"}], "Previous_Entry_Name": {"@Date": "2010-09-27", "#text": "Insufficient Synchronization"}}}
