Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2903 vulnerabilities reference this CWE, most recent first.

GHSA-68X2-MX4Q-78M7

Vulnerability from github – Published: 2025-09-10 21:56 – Updated: 2025-09-10 21:56
VLAI
Summary
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
Details

Impact

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.

In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.

The following APIs were vulnerable and required SSR-only breaking changes:

  • bootstrapApplication: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit BootstrapContext in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.
  • getPlatform: This function previously returned the last platform instance that was created. It now always returns null in a server environment.
  • destroyPlatform: This function previously destroyed the last platform instance that was created. It's now a no-op when called in a server environment.

For bootstrapApplication, the framework now provides a new argument to the application's bootstrap function:

// Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);

// After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

As is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:

# For apps on Angular v20:
ng update @angular/cli @angular/core

# For apps on Angular v19:
ng update @angular/cli@19 @angular/core@19

# For apps on Angular v18:
ng update @angular/cli@18 @angular/core@18

The schematic can also be invoked explicitly if the version bump was pulled in independently:

# For apps on Angular v20:
ng update @angular/core --name add-bootstrap-context-to-server-main

# For apps on Angular v19:
ng update @angular/core@19 --name add-bootstrap-context-to-server-main

# For apps on Angular v18:
ng update @angular/core@18 --name add-bootstrap-context-to-server-main

For applications that still use CommonEngine, the bootstrap property in CommonEngineOptions also gains the same context argument in the patched versions of Angular.

In local development (ng serve), Angular CLI triggered a codepath for Angular's "JIT" feature on the server even in applications that weren't using it in the browser. The codepath introduced async behavior between platform creation and application bootstrap, triggering the race condition even if an application didn't explicitly use getPlatform or custom async logic in bootstrap. Angular applications should never run in this mode outside of local development.

Patches

The issue has been patched in all active release lines as well as in the v21 prerelease:

  • @angular/platform-server: 21.0.0-next.3
  • @angular/platform-server: 20.3.0
  • @angular/platform-server: 19.2.15
  • @angular/platform-server: 18.2.14

  • @angular/ssr: 21.0.0-next.3

  • @angular/ssr: 20.3.0
  • @angular/ssr: 19.2.16
  • @angular/ssr: 18.2.21

Workarounds

  • Disable SSR via Server Routes (v19+) or builder options.
  • Remove any asynchronous behavior from custom bootstrap functions.
  • Remove uses of getPlatform() in application code.
  • Ensure that the server build defines ngJitMode as false.

References

  • https://github.com/angular/angular/pull/63562
  • https://github.com/angular/angular-cli/pull/31108
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-next.0"
            },
            {
              "fixed": "18.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0-next.0"
            },
            {
              "fixed": "20.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0-next.0"
            },
            {
              "fixed": "19.2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.0.0-next.0"
            },
            {
              "fixed": "21.0.0-next.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-next.0"
            },
            {
              "fixed": "18.2.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0-next.0"
            },
            {
              "fixed": "19.2.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0-next.0"
            },
            {
              "fixed": "20.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.0.0-next.0"
            },
            {
              "fixed": "21.0.0-next.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nguniversal/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-next.0"
            },
            {
              "last_affected": "16.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-10T21:56:01Z",
    "nvd_published_at": "2025-09-10T21:15:37Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAngular uses a DI container (the \"platform injector\") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.\n\nIn practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.\n\nThe following APIs were vulnerable and required SSR-only breaking changes:\n\n* `bootstrapApplication`: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit `BootstrapContext` in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.\n* `getPlatform`: This function previously returned the last platform instance that was created. It now always returns `null` in a server environment.\n* `destroyPlatform`: This function previously destroyed the last platform instance that was created. It\u0027s now a no-op when called in a server environment.\n\nFor `bootstrapApplication`, the framework now provides a new argument to the application\u0027s bootstrap function:\n\n```ts\n// Before:\nconst bootstrap = () =\u003e bootstrapApplication(AppComponent, config);\n\n// After:\nconst bootstrap = (context: BootstrapContext) =\u003e\n  bootstrapApplication(AppComponent, config, context);\n```\n\nAs is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:\n\n```sh\n# For apps on Angular v20:\nng update @angular/cli @angular/core\n\n# For apps on Angular v19:\nng update @angular/cli@19 @angular/core@19\n\n# For apps on Angular v18:\nng update @angular/cli@18 @angular/core@18\n```\n\nThe schematic can also be invoked explicitly if the version bump was pulled in independently:\n\n```sh\n# For apps on Angular v20:\nng update @angular/core --name add-bootstrap-context-to-server-main\n\n# For apps on Angular v19:\nng update @angular/core@19 --name add-bootstrap-context-to-server-main\n\n# For apps on Angular v18:\nng update @angular/core@18 --name add-bootstrap-context-to-server-main\n```\n\nFor applications that still use `CommonEngine`, the `bootstrap` property in `CommonEngineOptions` also gains the same `context` argument in the patched versions of Angular.\n\nIn local development (`ng serve`), Angular CLI triggered a codepath for Angular\u0027s \"JIT\" feature on the server even in applications that weren\u0027t using it in the browser. The codepath introduced async behavior between platform creation and application bootstrap, triggering the race condition even if an application didn\u0027t explicitly use `getPlatform` or custom async logic in `bootstrap`. Angular applications should never run in this mode outside of local development.\n\n### Patches\n\nThe issue has been patched in [all active release lines](https://angular.dev/reference/releases#actively-supported-versions) as well as in the v21 prerelease:\n\n* `@angular/platform-server`: 21.0.0-next.3\n* `@angular/platform-server`: 20.3.0\n* `@angular/platform-server`: 19.2.15\n* `@angular/platform-server:` 18.2.14\n\n* `@angular/ssr`: 21.0.0-next.3\n* `@angular/ssr`: 20.3.0\n* `@angular/ssr`: 19.2.16\n* `@angular/ssr`: 18.2.21\n\n### Workarounds\n\n* Disable SSR via [Server Routes](https://angular.dev/guide/ssr#server-routing) (v19+) or builder options.\n* Remove any asynchronous behavior from custom `bootstrap` functions.\n* Remove uses of `getPlatform()` in application code.\n* Ensure that the server build defines `ngJitMode` as false.\n\n### References\n\n* https://github.com/angular/angular/pull/63562\n* https://github.com/angular/angular-cli/pull/31108",
  "id": "GHSA-68x2-mx4q-78m7",
  "modified": "2025-09-10T21:56:01Z",
  "published": "2025-09-10T21:56:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59052"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular-cli/pull/31108"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/pull/63562"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage"
}

GHSA-6946-M5H6-646G

Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-17 00:02
VLAI
Details

Windows ALPC Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-23287, CVE-2022-24505.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-09T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows ALPC Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-23287, CVE-2022-24505.",
  "id": "GHSA-6946-m5h6-646g",
  "modified": "2022-03-17T00:02:32Z",
  "published": "2022-03-10T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23283"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23283"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-696H-4CCP-C9W4

Vulnerability from github – Published: 2022-05-01 23:27 – Updated: 2022-05-01 23:27
VLAI
Details

Race condition in NSXML in Foundation for Apple Mac OS X 10.4.11 allows context-dependent attackers to execute arbitrary code via a crafted XML file, related to "error handling logic."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-0059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-03-18T23:44:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in NSXML in Foundation for Apple Mac OS X 10.4.11 allows context-dependent attackers to execute arbitrary code via a crafted XML file, related to \"error handling logic.\"",
  "id": "GHSA-696h-4ccp-c9w4",
  "modified": "2022-05-01T23:27:24Z",
  "published": "2022-05-01T23:27:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0059"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41296"
    },
    {
      "type": "WEB",
      "url": "http://docs.info.apple.com/article.html?artnum=307562"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29420"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28304"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28367"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1019650"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA08-079A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0924/references"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-698J-XV88-2HJ7

Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2025-11-26 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: state: initialize state_ptrs earlier in xfrm_state_find

In case of preemption, xfrm_state_look_at will find a different pcpu_id and look up states for that other CPU. If we matched a state for CPU2 in the state_cache while the lookup started on CPU1, we will jump to "found", but the "best" state that we got will be ignored and we will enter the "acquire" block. This block uses state_ptrs, which isn't initialized at this point.

Let's initialize state_ptrs just after taking rcu_read_lock. This will also prevent a possible misuse in the future, if someone adjusts this function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T16:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: state: initialize state_ptrs earlier in xfrm_state_find\n\nIn case of preemption, xfrm_state_look_at will find a different\npcpu_id and look up states for that other CPU. If we matched a state\nfor CPU2 in the state_cache while the lookup started on CPU1, we will\njump to \"found\", but the \"best\" state that we got will be ignored and\nwe will enter the \"acquire\" block. This block uses state_ptrs, which\nisn\u0027t initialized at this point.\n\nLet\u0027s initialize state_ptrs just after taking rcu_read_lock. This will\nalso prevent a possible misuse in the future, if someone adjusts this\nfunction.",
  "id": "GHSA-698j-xv88-2hj7",
  "modified": "2025-11-26T00:30:15Z",
  "published": "2025-08-22T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38675"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/463562f9591742be62ddde3b426a0533ed496955"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bf2daafc51bcb9272c0fdff2afd38217337d0d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94d077c331730510d5611b438640a292097341f0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6999-6M26-M9XX

Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2025-06-05 15:31
VLAI
Details

A remote code execution (RCE) vulnerability in the component /inventory/doCptimpoptInventory of Weaver Ecology v9.* allows attackers to execute arbitrary code via injecting a crafted payload into the name of an uploaded file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T18:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "A remote code execution (RCE) vulnerability in the component /inventory/doCptimpoptInventory of Weaver Ecology v9.* allows attackers to execute arbitrary code via injecting a crafted payload into the name of an uploaded file.",
  "id": "GHSA-6999-6m26-m9xx",
  "modified": "2025-06-05T15:31:20Z",
  "published": "2024-11-19T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48069"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/CoinIsMoney/5dd555805e8f974630ced8a1df8182f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stuven1989/TemporaryGuild/blob/main/guild2.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-699H-74GF-WCVM

Vulnerability from github – Published: 2023-04-04 15:30 – Updated: 2023-04-11 18:30
VLAI
Details

An issue was discovered in Acuant AcuFill SDK before 10.22.02.03. Multiple MSI's get executed out of a standard-user writable directory. Through a race condition and OpLock manipulation, these files can be overwritten by a standard user. They then get executed by the elevated installer. This gives a standard user full SYSTEM code execution (elevation of privileges).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Acuant AcuFill SDK before 10.22.02.03. Multiple MSI\u0027s get executed out of a standard-user writable directory. Through a race condition and OpLock manipulation, these files can be overwritten by a standard user. They then get executed by the elevated installer. This gives a standard user full SYSTEM code execution (elevation of privileges).",
  "id": "GHSA-699h-74gf-wcvm",
  "modified": "2023-04-11T18:30:30Z",
  "published": "2023-04-04T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48221"
    },
    {
      "type": "WEB",
      "url": "https://acuant.com"
    },
    {
      "type": "WEB",
      "url": "https://hackandpwn.com/disclosures/CVE-2022-48221.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69FG-3J6F-3W5W

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Use after free due to race condition when reopening the device driver repeatedly in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free due to race condition when reopening the device driver repeatedly in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking",
  "id": "GHSA-69fg-3j6f-3w5w",
  "modified": "2022-05-24T19:04:43Z",
  "published": "2022-05-24T19:04:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11250"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/january-2021-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-69P2-XP3C-FF6J

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07
VLAI
Details

Race condition in Microsoft Malicious Software Removal Tool (MSRT) before 5.26 allows local users to gain privileges via a crafted DLL, aka "MSRT Race Condition Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-2418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-07-20T18:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in Microsoft Malicious Software Removal Tool (MSRT) before 5.26 allows local users to gain privileges via a crafted DLL, aka \"MSRT Race Condition Vulnerability.\"",
  "id": "GHSA-69p2-xp3c-ff6j",
  "modified": "2022-05-13T01:07:07Z",
  "published": "2022-05-13T01:07:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2418"
    },
    {
      "type": "WEB",
      "url": "https://technet.microsoft.com/library/security/3074162"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/163755/Microsoft-Windows-Malicious-Software-Removal-Tool-Privilege-Escalation.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1032901"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-69PJ-M4HX-VX8V

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "CoreFoundation" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-03T06:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the \"CoreFoundation\" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app.",
  "id": "GHSA-69pj-m4hx-vx8v",
  "modified": "2022-05-13T01:52:37Z",
  "published": "2022-05-13T01:52:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4155"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208692"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208693"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208696"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208698"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040604"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040608"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6C4H-C3C8-4V5J

Vulnerability from github – Published: 2022-05-14 03:33 – Updated: 2022-05-14 03:33
VLAI
Details

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in diag_ioctl_lsm_deinit() leads to a Use After Free condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-16T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in diag_ioctl_lsm_deinit() leads to a Use After Free condition.",
  "id": "GHSA-6c4h-c3c8-4v5j",
  "modified": "2022-05-14T03:33:41Z",
  "published": "2022-05-14T03:33:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3561"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.