Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2903 vulnerabilities reference this CWE, most recent first.

GHSA-9FRC-28R7-WX7X

Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-06 00:00
VLAI
Details

In video codec, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06521260; Issue ID: ALPS06521260.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-01T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In video codec, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06521260; Issue ID: ALPS06521260.",
  "id": "GHSA-9frc-28r7-wx7x",
  "modified": "2022-08-06T00:00:54Z",
  "published": "2022-08-02T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26428"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/August-2022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FRP-399H-R9J4

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, missing race condition protection while updating msg mask table can lead to buffer over-read. Also access to freed memory can happen while updating msg_mask information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-16T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, missing race condition protection while updating msg mask table can lead to buffer over-read. Also access to freed memory can happen while updating msg_mask information.",
  "id": "GHSA-9frp-399h-r9j4",
  "modified": "2022-05-13T01:47:26Z",
  "published": "2022-05-13T01:47:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8279"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2017-11-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FWF-H53Q-XXW3

Vulnerability from github – Published: 2024-07-11 00:32 – Updated: 2025-02-07 21:30
VLAI
Details

A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability the

Routing Protocol Daemon (rpd)

of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to inject incremental routing updates when BGP multipath is enabled, causing rpd to crash and restart, resulting in a Denial of Service (DoS). Since this is a timing issue (race condition), the successful exploitation of this vulnerability is outside the attacker's control.  However, continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.

On all Junos OS and Junos OS Evolved platforms with BGP multipath enabled, a specific multipath calculation removes the original next hop from the multipath lead routes nexthop-set. When this change happens, multipath relies on certain internal timing to record the update.  Under certain circumstance and with specific timing, this could result in an rpd crash.

This issue only affects systems with BGP multipath enabled.

This issue affects:

Junos OS:

  • All versions of 21.1
  • from 21.2 before 21.2R3-S7,
  • from 21.4 before 21.4R3-S6,
  • from 22.1 before 22.1R3-S5,
  • from 22.2 before 22.2R3-S3,
  • from 22.3 before 22.3R3-S2,
  • from 22.4 before 22.4R3,
  • from 23.2 before 23.2R2.

Junos OS Evolved:

  • All versions of 21.1-EVO,
  • All versions of 21.2-EVO,
  • from 21.4-EVO before 21.4R3-S6-EVO,
  • from 22.1-EVO before 22.1R3-S5-EVO,
  • from 22.2-EVO before 22.2R3-S3-EVO,
  • from 22.3-EVO before 22.3R3-S2-EVO,
  • from 22.4-EVO before 22.4R3-EVO,
  • from 23.2-EVO before 23.2R2-EVO.

Versions of Junos OS before 21.1R1 are unaffected by this vulnerability. Versions of Junos OS Evolved before 21.1R1-EVO are unaffected by this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-10T23:15:11Z",
    "severity": "HIGH"
  },
  "details": "A Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability the \n\nRouting Protocol Daemon (rpd)\n\n of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to inject incremental routing updates when BGP multipath is enabled, causing rpd to crash and restart, resulting in a Denial of Service (DoS). Since this is a timing issue (race condition), the successful exploitation of this vulnerability is outside the attacker\u0027s control.\u00a0 However, continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.\n\nOn all Junos OS and Junos OS Evolved platforms with BGP multipath enabled, a specific multipath calculation removes the original next hop from the multipath lead routes nexthop-set. When this change happens, multipath relies on certain internal timing to record the update.\u00a0 Under certain circumstance and with specific timing, this could result in an rpd crash.\n\nThis issue only affects systems with BGP multipath enabled.\n\n\nThis issue affects:\n\nJunos OS: \n\n\n  *  All versions of 21.1\n  *  from 21.2 before 21.2R3-S7, \n  *  from 21.4 before 21.4R3-S6, \n  *  from 22.1 before 22.1R3-S5, \n  *  from 22.2 before 22.2R3-S3, \n  *  from 22.3 before 22.3R3-S2, \n  *  from 22.4 before 22.4R3, \n  *  from 23.2 before 23.2R2.\n\n\n\n\nJunos OS Evolved: \n\n\n  *  All versions of 21.1-EVO,\n  *  All versions of 21.2-EVO,\n  *  from 21.4-EVO before 21.4R3-S6-EVO, \n  *  from 22.1-EVO before 22.1R3-S5-EVO, \n  *  from 22.2-EVO before 22.2R3-S3-EVO, \n  *  from 22.3-EVO before 22.3R3-S2-EVO, \n  *  from 22.4-EVO before 22.4R3-EVO, \n  *  from 23.2-EVO before 23.2R2-EVO.\n\n\n\nVersions of Junos OS before 21.1R1 are unaffected by this vulnerability.\nVersions of Junos OS Evolved before 21.1R1-EVO are unaffected by this vulnerability.",
  "id": "GHSA-9fwf-h53q-xxw3",
  "modified": "2025-02-07T21:30:57Z",
  "published": "2024-07-11T00:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39554"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA83014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9GJV-4X58-J6R8

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30
VLAI
Details

Race condition for some TDX Module before version tdx1.5 within Ring 0: Hypervisor may allow a denial of service. Authorized adversary with a privileged user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (low) impacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T17:16:15Z",
    "severity": "MODERATE"
  },
  "details": "Race condition for some TDX Module before version tdx1.5 within Ring 0: Hypervisor may allow a denial of service. Authorized adversary with a privileged user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (low) impacts.",
  "id": "GHSA-9gjv-4x58-j6r8",
  "modified": "2026-02-10T18:30:40Z",
  "published": "2026-02-10T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31944"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01397.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9GPJ-6MG9-3Q6Q

Vulnerability from github – Published: 2022-05-01 18:05 – Updated: 2022-05-01 18:05
VLAI
Details

xfs_fsr in xfsdump creates a .fsr temporary directory with insecure permissions, which allows local users to read or overwrite arbitrary files on xfs filesystems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-2654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-05-14T21:19:00Z",
    "severity": "MODERATE"
  },
  "details": "xfs_fsr in xfsdump creates a .fsr temporary directory with insecure permissions, which allows local users to read or overwrite arbitrary files on xfs filesystems.",
  "id": "GHSA-9gpj-6mg9-3q6q",
  "modified": "2022-05-01T18:05:41Z",
  "published": "2022-05-01T18:05:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2654"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417894"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/36716"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25220"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25425"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25761"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26867"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:134"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/linux/security/advisories/2007_10_sr.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/23922"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/usn-516-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9H85-G7W3-RH49

Vulnerability from github – Published: 2026-07-15 22:51 – Updated: 2026-07-15 22:51
VLAI
Summary
ViewComponent: Reused Component Instances Retain Stale Render Context
Details

Reused Component Instances Retain Stale Render Context

Summary

ViewComponent::Base instances retain multiple render-scoped objects across calls to render_in. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale helpers, controller, request, view_flow, format/variant details, and slot child context from an earlier render.

This can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering.

Severity

The PoC demonstrates cross-user authorization impact in a realistic downstream application pattern. If the receiving program accepts downstream cross-user authorization impact as a scope-changing impact for a framework vulnerability, an alternative High score can be assigned:

Alternative CVSS: 8.2 Alternative vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected Code

Validated against:

  • Repository commit: eea79445
  • Ruby: 3.4.9

Relevant locations:

  • lib/view_component/base.rb
  • render_in
  • controller
  • helpers
  • __vc_request
  • lib/view_component/slot.rb
  • Slot#to_s
  • lib/view_component/slotable.rb
  • slot storage in @__vc_set_slots
  • lib/view_component/collection.rb
  • child component memoization and spacer rendering

Key retained state:

@view_context = view_context
self.__vc_original_view_context ||= view_context
@lookup_context ||= view_context.lookup_context
@view_flow ||= view_context.view_flow
@__vc_requested_details ||= @lookup_context.vc_requested_details
@__vc_controller ||= view_context.controller
@__vc_helpers ||= __vc_original_view_context || controller.view_context
@__vc_request ||= controller.request if controller.respond_to?(:request)

Slot children also inherit the parent original view context:

@__vc_component_instance.__vc_original_view_context = @parent.__vc_original_view_context

Collections memoize child component instances:

return @components if defined? @components

Root Cause

Component instances are mutable render objects. render_in updates some per-render fields, but many request-scoped values are memoized using ||= or stored for later slot/collection rendering.

There is no runtime guard preventing a component instance from being rendered multiple times under different view contexts, and there is no full reset of render-scoped state at the start of each render.

Maintainer discussion in prior PRs notes that component instances should not be shared between renders, but the current runtime does not enforce this invariant.

Proof of Concept

The following PoC demonstrates four independent effects:

  • stale authorization gate
  • stale Host/request data in generated absolute URLs
  • stale slot child context
  • cross-thread context mixing

Run from the repository root:

$LOAD_PATH.unshift File.expand_path("lib", Dir.pwd)
require "action_controller/railtie"
require "rack/mock"
require "view_component/base"

class ReusePocController < ActionController::Base
  helper_method :current_user, :admin?
  attr_accessor :current_user, :role
  def admin? = role == :admin
end

routes = ActionDispatch::Routing::RouteSet.new
routes.draw { get "/accounts/:id", to: "accounts#show" }
ReusePocController.include routes.url_helpers

class AdminPanelComponent < ViewComponent::Base
  def render? = helpers.admin?

  def call
    href = helpers.url_for(controller: "accounts", action: "show", id: 42, only_path: false)
    "ADMIN user=#{helpers.current_user};host=#{request.host};href=#{href}".html_safe
  end
end

class UrlOnlyComponent < ViewComponent::Base
  def call
    href = helpers.url_for(controller: "accounts", action: "show", id: 42, only_path: false)
    "user=#{helpers.current_user};host=#{request.host};href=#{href}".html_safe
  end
end

class SlotChildComponent < ViewComponent::Base
  def call = "child_user=#{helpers.current_user};child_path=#{request.path}".html_safe
end

class SlotParentComponent < ViewComponent::Base
  renders_one :child, SlotChildComponent
  def call = "parent_user=#{helpers.current_user};parent_path=#{request.path};".html_safe + child.to_s
end

class RaceComponent < ViewComponent::Base
  def before_render = sleep 0.05
  def call = "#{helpers.current_user}@#{request.path}".html_safe
end

def vc(user:, role:, path:, host: "app.example")
  c = ReusePocController.new
  c.current_user = user
  c.role = role
  c.set_request!(ActionDispatch::Request.new(Rack::MockRequest.env_for(path, "HTTP_HOST" => host)))
  c.set_response!(ActionDispatch::Response.new)
  c.view_context
end

admin_vc = vc(user: "alice", role: :admin, path: "/admin", host: "admin.example")
guest_vc = vc(user: "bob", role: :guest, path: "/guest", host: "app.example")

panel = AdminPanelComponent.new
puts "auth_admin_first=#{panel.render_in(admin_vc)}"
puts "auth_guest_reused=#{panel.render_in(guest_vc)}"
puts "auth_guest_fresh=#{AdminPanelComponent.new.render_in(guest_vc).inspect}"

url = UrlOnlyComponent.new
puts "host_attacker_prime=#{url.render_in(vc(user: "attacker", role: :guest, path: "/prime", host: "evil.example"))}"
puts "host_victim_reused=#{url.render_in(vc(user: "victim", role: :guest, path: "/account", host: "app.example"))}"
puts "host_victim_fresh=#{UrlOnlyComponent.new.render_in(vc(user: "victim", role: :guest, path: "/account", host: "app.example"))}"

parent = SlotParentComponent.new
puts "slot_admin_first=#{parent.render_in(admin_vc) { |p| p.with_child }}"
puts "slot_guest_reused=#{parent.render_in(guest_vc) { |p| p.with_child }}"
puts "slot_guest_fresh=#{SlotParentComponent.new.render_in(guest_vc) { |p| p.with_child }}"

race = RaceComponent.new
q = Queue.new
t1 = Thread.new { q << [:admin, race.render_in(vc(user: "admin", role: :admin, path: "/admin"))] }
t2 = Thread.new { q << [:guest, race.render_in(vc(user: "guest", role: :guest, path: "/guest"))] }
t1.join
t2.join
results = 2.times.map { q.pop }.to_h
puts "race_admin_thread=#{results[:admin]}"
puts "race_guest_thread=#{results[:guest]}"

Observed output:

auth_admin_first=ADMIN user=alice;host=admin.example;href=http://admin.example/accounts/42
auth_guest_reused=ADMIN user=alice;host=admin.example;href=http://admin.example/accounts/42
auth_guest_fresh=""

host_attacker_prime=user=attacker;host=evil.example;href=http://evil.example/accounts/42
host_victim_reused=user=attacker;host=evil.example;href=http://evil.example/accounts/42
host_victim_fresh=user=victim;host=app.example;href=http://app.example/accounts/42

slot_admin_first=parent_user=alice;parent_path=/admin;child_user=alice;child_path=/admin
slot_guest_reused=parent_user=alice;parent_path=/admin;child_user=alice;child_path=/guest
slot_guest_fresh=parent_user=bob;parent_path=/guest;child_user=bob;child_path=/guest

race_admin_thread=admin@/guest
race_guest_thread=admin@/guest

Authorization-Impact PoC

The following PoC models a realistic downstream application pattern: a shared component registry caches component objects instead of caching component classes, factories, or rendered strings. An admin request primes the cached toolbar component. A later guest request renders the same cached object.

The component uses render? as an authorization-aware visibility gate and emits a representative privileged action link.

$LOAD_PATH.unshift File.expand_path("lib", Dir.pwd)
require "action_controller/railtie"
require "rack/mock"
require "view_component/base"

module SharedComponentRegistry
  def self.admin_toolbar
    @admin_toolbar ||= AdminToolbarComponent.new
  end

  def self.reset!
    remove_instance_variable(:@admin_toolbar) if defined?(@admin_toolbar)
  end
end

User = Struct.new(:id, :role, keyword_init: true) do
  def admin? = role == :admin
end

class AppController < ActionController::Base
  helper_method :current_user, :admin?
  attr_accessor :current_user

  def admin?
    current_user&.admin?
  end
end

routes = ActionDispatch::Routing::RouteSet.new
routes.draw do
  get "/admin/users/:id/impersonate", to: "admin/users#impersonate", as: :impersonate_admin_user
end
AppController.include routes.url_helpers

class AdminToolbarComponent < ViewComponent::Base
  def render?
    helpers.admin?
  end

  def call
    helpers.link_to(
      "Impersonate user 42",
      helpers.impersonate_admin_user_url(42, host: request.host),
      data: { turbo_method: :post }
    )
  end
end

class DashboardController < AppController
  def render_dashboard_with_shared_component
    render_to_string(inline: '<main><h1>Dashboard</h1><%= render SharedComponentRegistry.admin_toolbar %></main>')
  end

  def render_dashboard_with_fresh_component
    render_to_string(inline: '<main><h1>Dashboard</h1><%= render AdminToolbarComponent.new %></main>')
  end
end

def controller_for(user:, host:, path: "/dashboard")
  c = DashboardController.new
  c.current_user = user
  c.set_request!(ActionDispatch::Request.new(Rack::MockRequest.env_for(path, "HTTP_HOST" => host)))
  c.set_response!(ActionDispatch::Response.new)
  c
end

SharedComponentRegistry.reset!
admin = User.new(id: 1, role: :admin)
guest = User.new(id: 2, role: :guest)

admin_response = controller_for(user: admin, host: "admin.example").render_dashboard_with_shared_component
guest_reused_response = controller_for(user: guest, host: "app.example").render_dashboard_with_shared_component
guest_fresh_response = controller_for(user: guest, host: "app.example").render_dashboard_with_fresh_component

puts "admin_shared_contains_admin_link=#{admin_response.include?('/admin/users/42/impersonate')}"
puts "guest_reused_contains_admin_link=#{guest_reused_response.include?('/admin/users/42/impersonate')}"
puts "guest_fresh_contains_admin_link=#{guest_fresh_response.include?('/admin/users/42/impersonate')}"
puts "guest_reused_contains_admin_host=#{guest_reused_response.include?('http://admin.example/admin/users/42/impersonate')}"
puts "guest_reused_response=#{guest_reused_response.gsub(/\s+/, ' ').strip}"
puts "guest_fresh_response=#{guest_fresh_response.gsub(/\s+/, ' ').strip.inspect}"

Observed output:

admin_shared_contains_admin_link=true
guest_reused_contains_admin_link=true
guest_fresh_contains_admin_link=false
guest_reused_contains_admin_host=true
guest_reused_response=<main><h1>Dashboard</h1><a data-turbo-method="post" href="http://admin.example/admin/users/42/impersonate">Impersonate user 42</a></main>
guest_fresh_response="<main><h1>Dashboard</h1></main>"

This confirms a cross-user authorization impact in a realistic pattern: a guest receives privileged UI that a fresh component correctly suppresses. It also confirms stale request and Host context in the generated privileged URL.

Exploit Scenario

A downstream app stores component instances in a constant, singleton service, memoized helper, cache object, or shared collection builder to avoid allocation. An attacker or lower-privileged user later triggers rendering of that same object.

Potential real-world examples:

  • A navigation/sidebar component checks helpers.admin? in render?.
  • A tenant switcher uses request.host or current_user.account.
  • A component emits absolute URLs or signed action links.
  • A table uses slot child components that rely on helper/request state.
  • A global UI registry stores instantiated spacer or child components.

In these cases, a component first rendered under an admin or attacker-controlled request can affect later renders for other users.

Impact

Confirmed impact classes:

  • stale privileged UI rendering
  • stale user identity through helpers
  • stale Host/request data in generated absolute URLs
  • slot child context inheritance
  • cross-thread context corruption
  • stale format/variant template selection
  • stale view_flow / content_for writes
  • collection and spacer component context leakage

This can chain into privilege escalation if an application relies on UI visibility as an authorization boundary. It can also leak signed links, tenant-specific URLs, admin actions, or user-specific data.

Preconditions

  • The same component, collection, slot, or spacer component instance is reused across render contexts.
  • The component reads request-scoped or user-scoped APIs such as helpers, controller, request, URL helpers, render?, before_render, slots, variants, formats, or content_for.
  • Higher impact when the shared object crosses users, tenants, roles, or threads.

Normal per-request usage such as render(MyComponent.new(...)) is not affected.

Chaining Potential

This issue can chain with:

  • UI-only authorization checks
  • signed admin links embedded in components
  • Host header poisoning
  • multi-tenant routing based on host/subdomain
  • shared component registries
  • fragment/component caching patterns that cache objects rather than rendered strings
  • concurrent Rails servers such as Puma

The framework alone does not directly prove account takeover, but downstream applications can reach high impact if stale component output exposes privileged action links or bypasses server-side authorization assumptions.

Remediation

The safest fix is to make component and collection instances one-shot renderables.

Recommended options:

  1. Add a runtime guard in render_in that raises or warns when the same component instance is rendered again with a different view_context.
  2. Reset render-scoped ivars at the beginning of every render, including:
  3. __vc_original_view_context
  4. @lookup_context
  5. @view_flow
  6. @__vc_requested_details
  7. @__vc_controller
  8. @__vc_helpers
  9. @__vc_request
  10. Rebuild ViewComponent::Collection child component instances per render or document/enforce collections as one-shot.
  11. Avoid accepting a reusable instantiated spacer_component, or reset/clone it before rendering.
  12. Add thread-safety tests for concurrent rendering of a shared instance.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "view_component"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-488",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-15T22:51:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Reused Component Instances Retain Stale Render Context\n\n## Summary\n\n`ViewComponent::Base` instances retain multiple render-scoped objects across calls to `render_in`. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale `helpers`, `controller`, `request`, `view_flow`, format/variant details, and slot child context from an earlier render.\n\nThis can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering.\n\n## Severity\n\nThe PoC demonstrates cross-user authorization impact in a realistic downstream application pattern.\nIf the receiving program accepts downstream cross-user authorization impact as a scope-changing impact for a framework vulnerability, an alternative High score can be assigned:\n\nAlternative CVSS: 8.2\nAlternative vector: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N`\n\n## Affected Code\n\nValidated against:\n\n- Repository commit: `eea79445`\n- Ruby: `3.4.9`\n\nRelevant locations:\n\n- `lib/view_component/base.rb`\n  - `render_in`\n  - `controller`\n  - `helpers`\n  - `__vc_request`\n- `lib/view_component/slot.rb`\n  - `Slot#to_s`\n- `lib/view_component/slotable.rb`\n  - slot storage in `@__vc_set_slots`\n- `lib/view_component/collection.rb`\n  - child component memoization and spacer rendering\n\nKey retained state:\n\n```ruby\n@view_context = view_context\nself.__vc_original_view_context ||= view_context\n@lookup_context ||= view_context.lookup_context\n@view_flow ||= view_context.view_flow\n@__vc_requested_details ||= @lookup_context.vc_requested_details\n```\n\n```ruby\n@__vc_controller ||= view_context.controller\n@__vc_helpers ||= __vc_original_view_context || controller.view_context\n@__vc_request ||= controller.request if controller.respond_to?(:request)\n```\n\nSlot children also inherit the parent original view context:\n\n```ruby\n@__vc_component_instance.__vc_original_view_context = @parent.__vc_original_view_context\n```\n\nCollections memoize child component instances:\n\n```ruby\nreturn @components if defined? @components\n```\n\n## Root Cause\n\nComponent instances are mutable render objects. `render_in` updates some per-render fields, but many request-scoped values are memoized using `||=` or stored for later slot/collection rendering.\n\nThere is no runtime guard preventing a component instance from being rendered multiple times under different view contexts, and there is no full reset of render-scoped state at the start of each render.\n\nMaintainer discussion in prior PRs notes that component instances should not be shared between renders, but the current runtime does not enforce this invariant.\n\n## Proof of Concept\n\nThe following PoC demonstrates four independent effects:\n\n- stale authorization gate\n- stale Host/request data in generated absolute URLs\n- stale slot child context\n- cross-thread context mixing\n\nRun from the repository root:\n\n```ruby\n$LOAD_PATH.unshift File.expand_path(\"lib\", Dir.pwd)\nrequire \"action_controller/railtie\"\nrequire \"rack/mock\"\nrequire \"view_component/base\"\n\nclass ReusePocController \u003c ActionController::Base\n  helper_method :current_user, :admin?\n  attr_accessor :current_user, :role\n  def admin? = role == :admin\nend\n\nroutes = ActionDispatch::Routing::RouteSet.new\nroutes.draw { get \"/accounts/:id\", to: \"accounts#show\" }\nReusePocController.include routes.url_helpers\n\nclass AdminPanelComponent \u003c ViewComponent::Base\n  def render? = helpers.admin?\n\n  def call\n    href = helpers.url_for(controller: \"accounts\", action: \"show\", id: 42, only_path: false)\n    \"ADMIN user=#{helpers.current_user};host=#{request.host};href=#{href}\".html_safe\n  end\nend\n\nclass UrlOnlyComponent \u003c ViewComponent::Base\n  def call\n    href = helpers.url_for(controller: \"accounts\", action: \"show\", id: 42, only_path: false)\n    \"user=#{helpers.current_user};host=#{request.host};href=#{href}\".html_safe\n  end\nend\n\nclass SlotChildComponent \u003c ViewComponent::Base\n  def call = \"child_user=#{helpers.current_user};child_path=#{request.path}\".html_safe\nend\n\nclass SlotParentComponent \u003c ViewComponent::Base\n  renders_one :child, SlotChildComponent\n  def call = \"parent_user=#{helpers.current_user};parent_path=#{request.path};\".html_safe + child.to_s\nend\n\nclass RaceComponent \u003c ViewComponent::Base\n  def before_render = sleep 0.05\n  def call = \"#{helpers.current_user}@#{request.path}\".html_safe\nend\n\ndef vc(user:, role:, path:, host: \"app.example\")\n  c = ReusePocController.new\n  c.current_user = user\n  c.role = role\n  c.set_request!(ActionDispatch::Request.new(Rack::MockRequest.env_for(path, \"HTTP_HOST\" =\u003e host)))\n  c.set_response!(ActionDispatch::Response.new)\n  c.view_context\nend\n\nadmin_vc = vc(user: \"alice\", role: :admin, path: \"/admin\", host: \"admin.example\")\nguest_vc = vc(user: \"bob\", role: :guest, path: \"/guest\", host: \"app.example\")\n\npanel = AdminPanelComponent.new\nputs \"auth_admin_first=#{panel.render_in(admin_vc)}\"\nputs \"auth_guest_reused=#{panel.render_in(guest_vc)}\"\nputs \"auth_guest_fresh=#{AdminPanelComponent.new.render_in(guest_vc).inspect}\"\n\nurl = UrlOnlyComponent.new\nputs \"host_attacker_prime=#{url.render_in(vc(user: \"attacker\", role: :guest, path: \"/prime\", host: \"evil.example\"))}\"\nputs \"host_victim_reused=#{url.render_in(vc(user: \"victim\", role: :guest, path: \"/account\", host: \"app.example\"))}\"\nputs \"host_victim_fresh=#{UrlOnlyComponent.new.render_in(vc(user: \"victim\", role: :guest, path: \"/account\", host: \"app.example\"))}\"\n\nparent = SlotParentComponent.new\nputs \"slot_admin_first=#{parent.render_in(admin_vc) { |p| p.with_child }}\"\nputs \"slot_guest_reused=#{parent.render_in(guest_vc) { |p| p.with_child }}\"\nputs \"slot_guest_fresh=#{SlotParentComponent.new.render_in(guest_vc) { |p| p.with_child }}\"\n\nrace = RaceComponent.new\nq = Queue.new\nt1 = Thread.new { q \u003c\u003c [:admin, race.render_in(vc(user: \"admin\", role: :admin, path: \"/admin\"))] }\nt2 = Thread.new { q \u003c\u003c [:guest, race.render_in(vc(user: \"guest\", role: :guest, path: \"/guest\"))] }\nt1.join\nt2.join\nresults = 2.times.map { q.pop }.to_h\nputs \"race_admin_thread=#{results[:admin]}\"\nputs \"race_guest_thread=#{results[:guest]}\"\n```\n\nObserved output:\n\n```text\nauth_admin_first=ADMIN user=alice;host=admin.example;href=http://admin.example/accounts/42\nauth_guest_reused=ADMIN user=alice;host=admin.example;href=http://admin.example/accounts/42\nauth_guest_fresh=\"\"\n\nhost_attacker_prime=user=attacker;host=evil.example;href=http://evil.example/accounts/42\nhost_victim_reused=user=attacker;host=evil.example;href=http://evil.example/accounts/42\nhost_victim_fresh=user=victim;host=app.example;href=http://app.example/accounts/42\n\nslot_admin_first=parent_user=alice;parent_path=/admin;child_user=alice;child_path=/admin\nslot_guest_reused=parent_user=alice;parent_path=/admin;child_user=alice;child_path=/guest\nslot_guest_fresh=parent_user=bob;parent_path=/guest;child_user=bob;child_path=/guest\n\nrace_admin_thread=admin@/guest\nrace_guest_thread=admin@/guest\n```\n\n## Authorization-Impact PoC\n\nThe following PoC models a realistic downstream application pattern: a shared component registry caches component objects instead of caching component classes, factories, or rendered strings. An admin request primes the cached toolbar component. A later guest request renders the same cached object.\n\nThe component uses `render?` as an authorization-aware visibility gate and emits a representative privileged action link.\n\n```ruby\n$LOAD_PATH.unshift File.expand_path(\"lib\", Dir.pwd)\nrequire \"action_controller/railtie\"\nrequire \"rack/mock\"\nrequire \"view_component/base\"\n\nmodule SharedComponentRegistry\n  def self.admin_toolbar\n    @admin_toolbar ||= AdminToolbarComponent.new\n  end\n\n  def self.reset!\n    remove_instance_variable(:@admin_toolbar) if defined?(@admin_toolbar)\n  end\nend\n\nUser = Struct.new(:id, :role, keyword_init: true) do\n  def admin? = role == :admin\nend\n\nclass AppController \u003c ActionController::Base\n  helper_method :current_user, :admin?\n  attr_accessor :current_user\n\n  def admin?\n    current_user\u0026.admin?\n  end\nend\n\nroutes = ActionDispatch::Routing::RouteSet.new\nroutes.draw do\n  get \"/admin/users/:id/impersonate\", to: \"admin/users#impersonate\", as: :impersonate_admin_user\nend\nAppController.include routes.url_helpers\n\nclass AdminToolbarComponent \u003c ViewComponent::Base\n  def render?\n    helpers.admin?\n  end\n\n  def call\n    helpers.link_to(\n      \"Impersonate user 42\",\n      helpers.impersonate_admin_user_url(42, host: request.host),\n      data: { turbo_method: :post }\n    )\n  end\nend\n\nclass DashboardController \u003c AppController\n  def render_dashboard_with_shared_component\n    render_to_string(inline: \u0027\u003cmain\u003e\u003ch1\u003eDashboard\u003c/h1\u003e\u003c%= render SharedComponentRegistry.admin_toolbar %\u003e\u003c/main\u003e\u0027)\n  end\n\n  def render_dashboard_with_fresh_component\n    render_to_string(inline: \u0027\u003cmain\u003e\u003ch1\u003eDashboard\u003c/h1\u003e\u003c%= render AdminToolbarComponent.new %\u003e\u003c/main\u003e\u0027)\n  end\nend\n\ndef controller_for(user:, host:, path: \"/dashboard\")\n  c = DashboardController.new\n  c.current_user = user\n  c.set_request!(ActionDispatch::Request.new(Rack::MockRequest.env_for(path, \"HTTP_HOST\" =\u003e host)))\n  c.set_response!(ActionDispatch::Response.new)\n  c\nend\n\nSharedComponentRegistry.reset!\nadmin = User.new(id: 1, role: :admin)\nguest = User.new(id: 2, role: :guest)\n\nadmin_response = controller_for(user: admin, host: \"admin.example\").render_dashboard_with_shared_component\nguest_reused_response = controller_for(user: guest, host: \"app.example\").render_dashboard_with_shared_component\nguest_fresh_response = controller_for(user: guest, host: \"app.example\").render_dashboard_with_fresh_component\n\nputs \"admin_shared_contains_admin_link=#{admin_response.include?(\u0027/admin/users/42/impersonate\u0027)}\"\nputs \"guest_reused_contains_admin_link=#{guest_reused_response.include?(\u0027/admin/users/42/impersonate\u0027)}\"\nputs \"guest_fresh_contains_admin_link=#{guest_fresh_response.include?(\u0027/admin/users/42/impersonate\u0027)}\"\nputs \"guest_reused_contains_admin_host=#{guest_reused_response.include?(\u0027http://admin.example/admin/users/42/impersonate\u0027)}\"\nputs \"guest_reused_response=#{guest_reused_response.gsub(/\\s+/, \u0027 \u0027).strip}\"\nputs \"guest_fresh_response=#{guest_fresh_response.gsub(/\\s+/, \u0027 \u0027).strip.inspect}\"\n```\n\nObserved output:\n\n```text\nadmin_shared_contains_admin_link=true\nguest_reused_contains_admin_link=true\nguest_fresh_contains_admin_link=false\nguest_reused_contains_admin_host=true\nguest_reused_response=\u003cmain\u003e\u003ch1\u003eDashboard\u003c/h1\u003e\u003ca data-turbo-method=\"post\" href=\"http://admin.example/admin/users/42/impersonate\"\u003eImpersonate user 42\u003c/a\u003e\u003c/main\u003e\nguest_fresh_response=\"\u003cmain\u003e\u003ch1\u003eDashboard\u003c/h1\u003e\u003c/main\u003e\"\n```\n\nThis confirms a cross-user authorization impact in a realistic pattern: a guest receives privileged UI that a fresh component correctly suppresses. It also confirms stale request and Host context in the generated privileged URL.\n\n## Exploit Scenario\n\nA downstream app stores component instances in a constant, singleton service, memoized helper, cache object, or shared collection builder to avoid allocation. An attacker or lower-privileged user later triggers rendering of that same object.\n\nPotential real-world examples:\n\n- A navigation/sidebar component checks `helpers.admin?` in `render?`.\n- A tenant switcher uses `request.host` or `current_user.account`.\n- A component emits absolute URLs or signed action links.\n- A table uses slot child components that rely on helper/request state.\n- A global UI registry stores instantiated spacer or child components.\n\nIn these cases, a component first rendered under an admin or attacker-controlled request can affect later renders for other users.\n\n## Impact\n\nConfirmed impact classes:\n\n- stale privileged UI rendering\n- stale user identity through `helpers`\n- stale Host/request data in generated absolute URLs\n- slot child context inheritance\n- cross-thread context corruption\n- stale format/variant template selection\n- stale `view_flow` / `content_for` writes\n- collection and spacer component context leakage\n\nThis can chain into privilege escalation if an application relies on UI visibility as an authorization boundary. It can also leak signed links, tenant-specific URLs, admin actions, or user-specific data.\n\n## Preconditions\n\n- The same component, collection, slot, or spacer component instance is reused across render contexts.\n- The component reads request-scoped or user-scoped APIs such as `helpers`, `controller`, `request`, URL helpers, `render?`, `before_render`, slots, variants, formats, or `content_for`.\n- Higher impact when the shared object crosses users, tenants, roles, or threads.\n\nNormal per-request usage such as `render(MyComponent.new(...))` is not affected.\n\n## Chaining Potential\n\nThis issue can chain with:\n\n- UI-only authorization checks\n- signed admin links embedded in components\n- Host header poisoning\n- multi-tenant routing based on host/subdomain\n- shared component registries\n- fragment/component caching patterns that cache objects rather than rendered strings\n- concurrent Rails servers such as Puma\n\nThe framework alone does not directly prove account takeover, but downstream applications can reach high impact if stale component output exposes privileged action links or bypasses server-side authorization assumptions.\n\n## Remediation\n\nThe safest fix is to make component and collection instances one-shot renderables.\n\nRecommended options:\n\n1. Add a runtime guard in `render_in` that raises or warns when the same component instance is rendered again with a different `view_context`.\n2. Reset render-scoped ivars at the beginning of every render, including:\n   - `__vc_original_view_context`\n   - `@lookup_context`\n   - `@view_flow`\n   - `@__vc_requested_details`\n   - `@__vc_controller`\n   - `@__vc_helpers`\n   - `@__vc_request`\n3. Rebuild `ViewComponent::Collection` child component instances per render or document/enforce collections as one-shot.\n4. Avoid accepting a reusable instantiated `spacer_component`, or reset/clone it before rendering.\n5. Add thread-safety tests for concurrent rendering of a shared instance.",
  "id": "GHSA-9h85-g7w3-rh49",
  "modified": "2026-07-15T22:51:33Z",
  "published": "2026-07-15T22:51:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-9h85-g7w3-rh49"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ViewComponent/view_component/commit/7b05073be28037f7d5ff141e9dd42f3cf47956a4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ViewComponent/view_component"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ViewComponent/view_component/releases/tag/v4.12.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-54497.yml"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ViewComponent: Reused Component Instances Retain Stale Render Context"
}

GHSA-9H9F-XMHF-8GQC

Vulnerability from github – Published: 2025-11-28 03:30 – Updated: 2025-11-28 03:30
VLAI
Details

Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-28T03:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Denial of service (DoS) vulnerability in the office service.\nImpact: Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-9h9f-xmhf-8gqc",
  "modified": "2025-11-28T03:30:27Z",
  "published": "2025-11-28T03:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64313"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2025/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HPW-R23R-XGM5

Vulnerability from github – Published: 2022-06-17 00:25 – Updated: 2022-06-17 00:25
VLAI
Summary
Data race in `Iter` and `IterMut`
Details

In the affected version of this crate, {Iter, IterMut}::next used a weaker memory ordering when loading values than what was required, exposing a potential data race when iterating over a ThreadLocal's values.

Crates using Iter::next, or IterMut::next are affected by this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "thread_local"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T00:25:46Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "In the affected version of this crate, `{Iter, IterMut}::next` used a weaker memory ordering when loading values than what was required, exposing a potential data race\nwhen iterating over a `ThreadLocal`\u0027s values.\n\nCrates using `Iter::next`, or `IterMut::next` are affected by this issue.\n",
  "id": "GHSA-9hpw-r23r-xgm5",
  "modified": "2022-06-17T00:25:46Z",
  "published": "2022-06-17T00:25:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Amanieu/thread_local-rs/issues/33"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Amanieu/thread_local-rs"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0006.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Data race in `Iter` and `IterMut`"
}

GHSA-9HQ3-7CHC-XFF2

Vulnerability from github – Published: 2023-10-10 18:31 – Updated: 2024-04-04 08:32
VLAI
Details

Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-10T18:15:18Z",
    "severity": "HIGH"
  },
  "details": "Layer 2 Tunneling Protocol Remote Code Execution Vulnerability",
  "id": "GHSA-9hq3-7chc-xff2",
  "modified": "2024-04-04T08:32:52Z",
  "published": "2023-10-10T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41774"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41774"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HQH-QQFF-45P6

Vulnerability from github – Published: 2022-05-17 04:18 – Updated: 2022-05-17 04:18
VLAI
Details

Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-6458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-01-24T18:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command.",
  "id": "GHSA-9hqh-qqff-45p6",
  "modified": "2022-05-17T04:18:15Z",
  "published": "2022-05-17T04:18:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6458"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1043069"
    },
    {
      "type": "WEB",
      "url": "http://libvirt.org/news.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00060.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00062.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0103.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56186"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56446"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/60895"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201412-04.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2846"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2093-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.