Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2899 vulnerabilities reference this CWE, most recent first.

GHSA-W9FR-XV2X-W94Q

Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31
VLAI
Details

Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T18:15:16Z",
    "severity": "HIGH"
  },
  "details": "Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability",
  "id": "GHSA-w9fr-xv2x-w94q",
  "modified": "2024-08-13T18:31:16Z",
  "published": "2024-08-13T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38136"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38136"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9G9-5Q3R-QPXX

Vulnerability from github – Published: 2022-05-02 03:27 – Updated: 2022-05-02 03:27
VLAI
Details

Race condition in the Reset Safari implementation in Apple Safari before 4.0 on Windows might allow local users to read stored web-site passwords via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-1707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-06-10T18:00:00Z",
    "severity": "LOW"
  },
  "details": "Race condition in the Reset Safari implementation in Apple Safari before 4.0 on Windows might allow local users to read stored web-site passwords via unspecified vectors.",
  "id": "GHSA-w9g9-5q3r-qpxx",
  "modified": "2022-05-02T03:27:48Z",
  "published": "2022-05-02T03:27:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1707"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/55012"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35379"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42314"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT3613"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4456"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/35260"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/35352"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/1522"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/3046"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W9QP-349F-P25G

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows Clipboard Server allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:18:05Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Clipboard Server allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-w9qp-349f-p25g",
  "modified": "2026-07-14T18:32:30Z",
  "published": "2026-07-14T18:32:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50689"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50689"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9QR-VR3P-GQMX

Vulnerability from github – Published: 2024-04-04 09:30 – Updated: 2024-11-07 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between ordered extent completion and fiemap

For fiemap we recently stopped locking the target extent range for the whole duration of the fiemap call, in order to avoid a deadlock in a scenario where the fiemap buffer happens to be a memory mapped range of the same file. This use case is very unlikely to be useful in practice but it may be triggered by fuzz testing (syzbot, etc).

However by not locking the target extent range for the whole duration of the fiemap call we can race with an ordered extent. This happens like this:

1) The fiemap task finishes processing a file extent item that covers the file range [512K, 1M[, and that file extent item is the last item in the leaf currently being processed;

2) And ordered extent for the file range [768K, 2M[, in COW mode, completes (btrfs_finish_one_ordered()) and the file extent item covering the range [512K, 1M[ is trimmed to cover the range [512K, 768K[ and then a new file extent item for the range [768K, 2M[ is inserted in the inode's subvolume tree;

3) The fiemap task calls fiemap_next_leaf_item(), which then calls btrfs_next_leaf() to find the next leaf / item. This finds that the the next key following the one we previously processed (its type is BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding to the new file extent item inserted by the ordered extent, which has a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K;

4) Later the fiemap code ends up at emit_fiemap_extent() and triggers the warning:

  if (cache->offset + cache->len > offset) {
           WARN_ON(1);
           return -EINVAL;
  }

Since we get 1M > 768K, because the previously emitted entry for the old extent covering the file range [512K, 1M[ ends at an offset that is greater than the new extent's start offset (768K). This makes fiemap fail with -EINVAL besides triggering the warning that produces a stack trace like the following:

 [1621.677651] ------------[ cut here ]------------
 [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs]
 [1621.677899] Modules linked in: btrfs blake2b_generic (...)
 [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1
 [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
 [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs]
 [1621.678033] Code: 2b 4c 89 63 (...)
 [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206
 [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000
 [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90
 [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000
 [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000
 [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850
 [1621.678044] FS:  00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000
 [1621.678046] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0
 [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 [1621.678056] Call Trace:
 [1621.678074]  <TASK>
 [1621.678076]  ? __warn+0x80/0x130
 [1621.678082]  ? emit_fiemap_extent+0x84/0x90 [btrfs]
 [1621.678159]  ? report_bug+0x1f4/0x200
 [1621.678164]  ? handle_bug+0x42/0x70
 [1621.678167]  ? exc_invalid_op+0x14/0x70
 [1621.678170]  ? asm_exc_invalid_op+0x16/0x20
 [1621.678178]  ? emit_fiemap_extent+0x84/0x90 [btrfs]
 [1621.678253]  extent_fiemap+0x766

---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T09:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between ordered extent completion and fiemap\n\nFor fiemap we recently stopped locking the target extent range for the\nwhole duration of the fiemap call, in order to avoid a deadlock in a\nscenario where the fiemap buffer happens to be a memory mapped range of\nthe same file. This use case is very unlikely to be useful in practice but\nit may be triggered by fuzz testing (syzbot, etc).\n\nHowever by not locking the target extent range for the whole duration of\nthe fiemap call we can race with an ordered extent. This happens like\nthis:\n\n1) The fiemap task finishes processing a file extent item that covers\n   the file range [512K, 1M[, and that file extent item is the last item\n   in the leaf currently being processed;\n\n2) And ordered extent for the file range [768K, 2M[, in COW mode,\n   completes (btrfs_finish_one_ordered()) and the file extent item\n   covering the range [512K, 1M[ is trimmed to cover the range\n   [512K, 768K[ and then a new file extent item for the range [768K, 2M[\n   is inserted in the inode\u0027s subvolume tree;\n\n3) The fiemap task calls fiemap_next_leaf_item(), which then calls\n   btrfs_next_leaf() to find the next leaf / item. This finds that the\n   the next key following the one we previously processed (its type is\n   BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding\n   to the new file extent item inserted by the ordered extent, which has\n   a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K;\n\n4) Later the fiemap code ends up at emit_fiemap_extent() and triggers\n   the warning:\n\n      if (cache-\u003eoffset + cache-\u003elen \u003e offset) {\n               WARN_ON(1);\n               return -EINVAL;\n      }\n\n   Since we get 1M \u003e 768K, because the previously emitted entry for the\n   old extent covering the file range [512K, 1M[ ends at an offset that\n   is greater than the new extent\u0027s start offset (768K). This makes fiemap\n   fail with -EINVAL besides triggering the warning that produces a stack\n   trace like the following:\n\n     [1621.677651] ------------[ cut here ]------------\n     [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs]\n     [1621.677899] Modules linked in: btrfs blake2b_generic (...)\n     [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1\n     [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n     [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs]\n     [1621.678033] Code: 2b 4c 89 63 (...)\n     [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206\n     [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000\n     [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90\n     [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000\n     [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000\n     [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850\n     [1621.678044] FS:  00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000\n     [1621.678046] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n     [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0\n     [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n     [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n     [1621.678056] Call Trace:\n     [1621.678074]  \u003cTASK\u003e\n     [1621.678076]  ? __warn+0x80/0x130\n     [1621.678082]  ? emit_fiemap_extent+0x84/0x90 [btrfs]\n     [1621.678159]  ? report_bug+0x1f4/0x200\n     [1621.678164]  ? handle_bug+0x42/0x70\n     [1621.678167]  ? exc_invalid_op+0x14/0x70\n     [1621.678170]  ? asm_exc_invalid_op+0x16/0x20\n     [1621.678178]  ? emit_fiemap_extent+0x84/0x90 [btrfs]\n     [1621.678253]  extent_fiemap+0x766\n---truncated---",
  "id": "GHSA-w9qr-vr3p-gqmx",
  "modified": "2024-11-07T21:31:37Z",
  "published": "2024-04-04T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26794"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31d07a757c6d3430e03cc22799921569999b9a12"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1a4a9ca77f143c00fce69c1239887ff8b813bec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d43f8e58f10a44df8c08e7f7076f3288352cd168"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9QV-8MCJ-WH8F

Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-09-19 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race in read_extent_buffer_pages()

There are reports from tree-checker that detects corrupted nodes, without any obvious pattern so possibly an overwrite in memory. After some debugging it turns out there's a race when reading an extent buffer the uptodate status can be missed.

To prevent concurrent reads for the same extent buffer, read_extent_buffer_pages() performs these checks:

/* (1) */
if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))
    return 0;

/* (2) */
if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))
    goto done;

At this point, it seems safe to start the actual read operation. Once that completes, end_bbio_meta_read() does

/* (3) */
set_extent_buffer_uptodate(eb);

/* (4) */
clear_bit(EXTENT_BUFFER_READING, &eb->bflags);

Normally, this is enough to ensure only one read happens, and all other callers wait for it to finish before returning. Unfortunately, there is a racey interleaving:

Thread A | Thread B | Thread C
---------+----------+---------
   (1)   |          |
         |    (1)   |
   (2)   |          |
   (3)   |          |
   (4)   |          |
         |    (2)   |
         |          |    (1)

When this happens, thread B kicks of an unnecessary read. Worse, thread C will see UPTODATE set and return immediately, while the read from thread B is still in progress. This race could result in tree-checker errors like this as the extent buffer is concurrently modified:

BTRFS critical (device dm-0): corrupted node, root=256
block=8550954455682405139 owner mismatch, have 11858205567642294356
expect [256, 18446744073709551360]

Fix it by testing UPTODATE again after setting the READING bit, and if it's been set, skip the unnecessary read.

[ minor update of changelog ]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T14:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race in read_extent_buffer_pages()\n\nThere are reports from tree-checker that detects corrupted nodes,\nwithout any obvious pattern so possibly an overwrite in memory.\nAfter some debugging it turns out there\u0027s a race when reading an extent\nbuffer the uptodate status can be missed.\n\nTo prevent concurrent reads for the same extent buffer,\nread_extent_buffer_pages() performs these checks:\n\n    /* (1) */\n    if (test_bit(EXTENT_BUFFER_UPTODATE, \u0026eb-\u003ebflags))\n        return 0;\n\n    /* (2) */\n    if (test_and_set_bit(EXTENT_BUFFER_READING, \u0026eb-\u003ebflags))\n        goto done;\n\nAt this point, it seems safe to start the actual read operation. Once\nthat completes, end_bbio_meta_read() does\n\n    /* (3) */\n    set_extent_buffer_uptodate(eb);\n\n    /* (4) */\n    clear_bit(EXTENT_BUFFER_READING, \u0026eb-\u003ebflags);\n\nNormally, this is enough to ensure only one read happens, and all other\ncallers wait for it to finish before returning.  Unfortunately, there is\na racey interleaving:\n\n    Thread A | Thread B | Thread C\n    ---------+----------+---------\n       (1)   |          |\n             |    (1)   |\n       (2)   |          |\n       (3)   |          |\n       (4)   |          |\n             |    (2)   |\n             |          |    (1)\n\nWhen this happens, thread B kicks of an unnecessary read. Worse, thread\nC will see UPTODATE set and return immediately, while the read from\nthread B is still in progress.  This race could result in tree-checker\nerrors like this as the extent buffer is concurrently modified:\n\n    BTRFS critical (device dm-0): corrupted node, root=256\n    block=8550954455682405139 owner mismatch, have 11858205567642294356\n    expect [256, 18446744073709551360]\n\nFix it by testing UPTODATE again after setting the READING bit, and if\nit\u0027s been set, skip the unnecessary read.\n\n[ minor update of changelog ]",
  "id": "GHSA-w9qv-8mcj-wh8f",
  "modified": "2025-09-19T15:31:07Z",
  "published": "2024-05-17T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35798"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9R2-QRPM-4RMJ

Vulnerability from github – Published: 2021-08-25 20:56 – Updated: 2023-01-24 19:02
VLAI
Summary
Data race in disrustor
Details

An issue was discovered in the disrustor crate through 2020-12-17 for Rust. RingBuffer doe not properly limit the number of mutable references.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "disrustor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:36:20Z",
    "nvd_published_at": "2021-08-08T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the disrustor crate through 2020-12-17 for Rust. RingBuffer doe not properly limit the number of mutable references.",
  "id": "GHSA-w9r2-qrpm-4rmj",
  "modified": "2023-01-24T19:02:15Z",
  "published": "2021-08-25T20:56:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36470"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sklose/disrustor/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sklose/disrustor/commit/0be7aed40adbac51a50a3b95c815349a40d79ca6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sklose/disrustor"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0150.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Data race in disrustor"
}

GHSA-W9V5-63V9-9QVJ

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in SMB request handling

A race condition exists between SMB request handling in ksmbd_conn_handler_loop() and the freeing of ksmbd_conn in the workqueue handler handle_ksmbd_work(). This leads to a UAF. - KASAN: slab-use-after-free Read in handle_ksmbd_work - KASAN: slab-use-after-free in rtlock_slowlock_locked

This race condition arises as follows: - ksmbd_conn_handler_loop() waits for conn->r_count to reach zero: wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0); - Meanwhile, handle_ksmbd_work() decrements conn->r_count using atomic_dec_return(&conn->r_count), and if it reaches zero, calls ksmbd_conn_free(), which frees conn. - However, after handle_ksmbd_work() decrements conn->r_count, it may still access conn->r_count_q in the following line: waitqueue_active(&conn->r_count_q) or wake_up(&conn->r_count_q) This results in a UAF, as conn has already been freed.

The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:26Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in SMB request handling\n\nA race condition exists between SMB request handling in\n`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the\nworkqueue handler `handle_ksmbd_work()`. This leads to a UAF.\n- KASAN: slab-use-after-free Read in handle_ksmbd_work\n- KASAN: slab-use-after-free in rtlock_slowlock_locked\n\nThis race condition arises as follows:\n- `ksmbd_conn_handler_loop()` waits for `conn-\u003er_count` to reach zero:\n  `wait_event(conn-\u003er_count_q, atomic_read(\u0026conn-\u003er_count) == 0);`\n- Meanwhile, `handle_ksmbd_work()` decrements `conn-\u003er_count` using\n  `atomic_dec_return(\u0026conn-\u003er_count)`, and if it reaches zero, calls\n  `ksmbd_conn_free()`, which frees `conn`.\n- However, after `handle_ksmbd_work()` decrements `conn-\u003er_count`,\n  it may still access `conn-\u003er_count_q` in the following line:\n  `waitqueue_active(\u0026conn-\u003er_count_q)` or `wake_up(\u0026conn-\u003er_count_q)`\n  This results in a UAF, as `conn` has already been freed.\n\nThe discovery of this UAF can be referenced in the following PR for\nsyzkaller\u0027s support for SMB requests.",
  "id": "GHSA-w9v5-63v9-9qvj",
  "modified": "2025-01-14T18:31:53Z",
  "published": "2024-12-27T15:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53186"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9V6-VP56-736P

Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2026-04-01 18:35
VLAI
Details

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Ays Pro Poll Maker allows Leveraging Race Conditions. This issue affects Poll Maker: from n/a through 5.7.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T15:16:11Z",
    "severity": "MODERATE"
  },
  "details": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability in Ays Pro Poll Maker allows Leveraging Race Conditions. This issue affects Poll Maker: from n/a through 5.7.7.",
  "id": "GHSA-w9v6-vp56-736p",
  "modified": "2026-04-01T18:35:03Z",
  "published": "2025-05-07T15:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47545"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/poll-maker/vulnerability/wordpress-poll-maker-5-7-7-race-condition-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC7P-3VCR-979V

Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-10 12:01
VLAI
Details

Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41045, CVE-2022-41100.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41045, CVE-2022-41100.",
  "id": "GHSA-wc7p-3vcr-979v",
  "modified": "2022-11-10T12:01:09Z",
  "published": "2022-11-10T12:01:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41093"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41093"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41093"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC9W-8X8G-533G

Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2024-03-14 21:30
VLAI
Details

Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-9529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-01-09T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.",
  "id": "GHSA-wc9w-8x8g-533g",
  "modified": "2024-03-14T21:30:49Z",
  "published": "2022-05-13T01:26:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9529"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/a3a8784454692dd72e5d5d34dcdab17b4420e74c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1179813"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99641"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=a3a8784454692dd72e5d5d34dcdab17b4420e74c"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a3a8784454692dd72e5d5d34dcdab17b4420e74c"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147864.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147973.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0864.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1137.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1138.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2015/dsa-3128"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:058"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/01/06/10"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/71880"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036763"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2511-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2512-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2513-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2514-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2515-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2516-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2517-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2518-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.