CWE-366
AllowedRace Condition within a Thread
Abstraction: Base · Status: Draft
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
34 vulnerabilities reference this CWE, most recent first.
GHSA-QHP7-446P-XQ88
Vulnerability from github – Published: 2023-11-09 21:30 – Updated: 2024-06-25 21:31A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2023-39198"
],
"database_specific": {
"cwe_ids": [
"CWE-366",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-09T20:15:08Z",
"severity": "HIGH"
},
"details": "A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.",
"id": "GHSA-qhp7-446p-xq88",
"modified": "2024-06-25T21:31:10Z",
"published": "2023-11-09T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39198"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2394"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2950"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3138"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-39198"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218332"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V727-F437-6CXX
Vulnerability from github – Published: 2023-12-21 21:30 – Updated: 2024-08-02 15:31A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2023-6546"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-366",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-21T20:15:08Z",
"severity": "HIGH"
},
"details": "A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.",
"id": "GHSA-v727-f437-6cxx",
"modified": "2024-08-02T15:31:16Z",
"published": "2023-12-21T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6546"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/3c4f8333b582487a2d1e02171f1465531cde53e3"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-20527"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255498"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-6546"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4970"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4729"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4577"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2697"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2621"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2394"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2093"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1614"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1612"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1607"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1306"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1253"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1250"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1055"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1019"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1018"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0937"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0930"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/10/18"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/10/21"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/11/7"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/11/9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/12/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/12/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/16/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/17/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJVQ-RCQJ-PWVP
Vulnerability from github – Published: 2023-06-13 12:30 – Updated: 2023-06-13 12:30Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5.
{
"affected": [],
"aliases": [
"CVE-2023-3218"
],
"database_specific": {
"cwe_ids": [
"CWE-366"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-13T11:15:08Z",
"severity": "MODERATE"
},
"details": "Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5.",
"id": "GHSA-vjvq-rcqj-pwvp",
"modified": "2023-06-13T12:30:18Z",
"published": "2023-06-13T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3218"
},
{
"type": "WEB",
"url": "https://github.com/it-novum/openitcockpit/commit/2c2c243964dda97a82eddb3804e39f9665c574bb"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/94d50b11-20ca-46e3-9086-dd6836421675"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XC56-V745-V4G3
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2025-01-14 21:31Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
{
"affected": [],
"aliases": [
"CVE-2021-26569"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-366"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-12T07:15:00Z",
"severity": "HIGH"
},
"details": "Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.",
"id": "GHSA-xc56-v745-v4g3",
"modified": "2025-01-14T21:31:41Z",
"published": "2022-05-24T17:44:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26569"
},
{
"type": "WEB",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-338"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment.
Mitigation
Create resource-locking validation checks. If no inherent locking mechanisms exist, use flags and signals to enforce your own blocking scheme when resources are being used by other threads of execution.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.