CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2903 vulnerabilities reference this CWE, most recent first.
GHSA-9PP4-8P8V-G78W
Vulnerability from github – Published: 2021-08-25 20:57 – Updated: 2021-08-18 20:22An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T. This allows non-Send types such as Rc and non-Sync types such as Cell to be used across thread boundaries which can trigger undefined behavior and memory corruption.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "lever"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36457"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T20:22:32Z",
"nvd_published_at": "2021-08-08T06:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox\u003cT\u003e implements the Send and Sync traits for all types T. This allows non-Send types such as Rc and non-Sync types such as Cell to be used across thread boundaries which can trigger undefined behavior and memory corruption.",
"id": "GHSA-9pp4-8p8v-g78w",
"modified": "2021-08-18T20:22:32Z",
"published": "2021-08-25T20:57:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36457"
},
{
"type": "WEB",
"url": "https://github.com/vertexclique/lever/issues/15"
},
{
"type": "WEB",
"url": "https://github.com/vertexclique/lever/pull/17"
},
{
"type": "WEB",
"url": "https://github.com/vertexclique/lever/commit/4a4cca61cdb25061967d58522229e147483007b1"
},
{
"type": "PACKAGE",
"url": "https://github.com/vertexclique/lever"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0137.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Data races in lever"
}
GHSA-9PPX-3J9G-766W
Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2023-03-11 03:30A flaw was found in samba. A race condition in the password lockout code may lead to the risk of brute force attacks being successful if special conditions are met.
{
"affected": [],
"aliases": [
"CVE-2021-20251"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-06T23:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in samba. A race condition in the password lockout code may lead to the risk of brute force attacks being successful if special conditions are met.",
"id": "GHSA-9ppx-3j9g-766w",
"modified": "2023-03-11T03:30:17Z",
"published": "2023-03-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20251"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1929800"
},
{
"type": "WEB",
"url": "https://bugzilla.samba.org/show_bug.cgi?id=14611"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-06"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230331-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9PQG-GMHR-V6C6
Vulnerability from github – Published: 2025-08-06 06:31 – Updated: 2025-08-06 06:31Race condition vulnerability in the kernel hufs module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
{
"affected": [],
"aliases": [
"CVE-2025-54651"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T04:16:17Z",
"severity": "MODERATE"
},
"details": "Race condition vulnerability in the kernel hufs module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.",
"id": "GHSA-9pqg-gmhr-v6c6",
"modified": "2025-08-06T06:31:22Z",
"published": "2025-08-06T06:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54651"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9PW6-G5GG-555M
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48A vulnerability in the forwarding of transit TCPv6 packets received on the Ethernet management interface of Juniper Networks Junos OS allows an attacker to trigger a kernel panic, leading to a Denial of Service (DoS). Continued receipt and processing of these transit packets will create a sustained Denial of Service (DoS) condition. This issue only occurs when TCPv6 packets are routed through the management interface. Other transit traffic, and traffic destined to the management interface, are unaffected by this vulnerability. This issue was introduced as part of a TCP Parallelization feature added in Junos OS 17.2, and affects systems with concurrent network stack enabled. This feature is enabled by default, but can be disabled (see WORKAROUND section below). This issue affects Juniper Networks Junos OS: 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; 19.1 versions prior to 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1.
{
"affected": [],
"aliases": [
"CVE-2021-0258"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the forwarding of transit TCPv6 packets received on the Ethernet management interface of Juniper Networks Junos OS allows an attacker to trigger a kernel panic, leading to a Denial of Service (DoS). Continued receipt and processing of these transit packets will create a sustained Denial of Service (DoS) condition. This issue only occurs when TCPv6 packets are routed through the management interface. Other transit traffic, and traffic destined to the management interface, are unaffected by this vulnerability. This issue was introduced as part of a TCP Parallelization feature added in Junos OS 17.2, and affects systems with concurrent network stack enabled. This feature is enabled by default, but can be disabled (see WORKAROUND section below). This issue affects Juniper Networks Junos OS: 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; 19.1 versions prior to 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1.",
"id": "GHSA-9pw6-g5gg-555m",
"modified": "2022-05-24T17:48:14Z",
"published": "2022-05-24T17:48:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0258"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11149"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9Q24-HWMC-797X
Vulnerability from github – Published: 2024-02-22 12:30 – Updated: 2024-12-11 21:10Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer. This issue affects Apache Answer through 1.2.1.
Repeated submission during registration resulted in the registration of the same user. When users register, if they rapidly submit multiple registrations using scripts, it can result in the creation of multiple user accounts simultaneously with the same name.
Users are recommended to upgrade to version 1.2.5, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/apache/incubator-answer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-26578"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-22T21:35:15Z",
"nvd_published_at": "2024-02-22T10:15:08Z",
"severity": "MODERATE"
},
"details": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability in Apache Answer. This issue affects Apache Answer through 1.2.1.\n\nRepeated submission during registration resulted in the registration of the same user. When users register, if they rapidly submit multiple registrations using scripts, it can result in the creation of multiple user accounts simultaneously with the same name.\n\nUsers are recommended to upgrade to version 1.2.5, which fixes the issue.",
"id": "GHSA-9q24-hwmc-797x",
"modified": "2024-12-11T21:10:47Z",
"published": "2024-02-22T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26578"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/incubator-answer"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ko0ksnznt2484lxt0zts2ygr82ldkhcb"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/22/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Answer Race Condition vulnerability"
}
GHSA-9Q4W-JMGX-6765
Vulnerability from github – Published: 2022-05-17 05:24 – Updated: 2024-03-21 03:33** DISPUTED ** Race condition in F-Secure Internet Security 2010 10.00 build 246 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute.
{
"affected": [],
"aliases": [
"CVE-2010-5161"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-08-25T21:55:00Z",
"severity": "MODERATE"
},
"details": "** DISPUTED ** Race condition in F-Secure Internet Security 2010 10.00 build 246 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute.",
"id": "GHSA-9q4w-jmgx-6765",
"modified": "2024-03-21T03:33:10Z",
"published": "2022-05-17T05:24:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5161"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2010-05/0026.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0066.html"
},
{
"type": "WEB",
"url": "http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk"
},
{
"type": "WEB",
"url": "http://matousec.com/info/advisories/khobe-8.0-earthquake-for-windows-desktop-security-software.php"
},
{
"type": "WEB",
"url": "http://matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php"
},
{
"type": "WEB",
"url": "http://www.f-secure.com/weblog/archives/00001949.html"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/67660"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/39924"
},
{
"type": "WEB",
"url": "http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9Q5M-JFC4-WC92
Vulnerability from github – Published: 2026-04-01 19:52 – Updated: 2026-04-06 17:18Summary
All three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity.
Details
The OAuthBrokerService.GetService() returns a single shared instance per provider for every request. The OAuth flow stores intermediate state as struct fields on this singleton:
Token storage — generic_oauth_service.go line 96:
generic.token = token // Shared mutable field on singleton
Verifier storage — generic_oauth_service.go line 81:
generic.verifier = verifier // Shared mutable field on singleton
In the callback handler oauth_controller.go lines 136–143, the code calls:
err = service.VerifyCode(code) // line 136 — stores token on singleton
// ... race window ...
user, err := controller.broker.GetUser(req.Provider) // line 143 — reads token from singleton
Between these two calls, a concurrent request's VerifyCode() can overwrite the token field, causing GetUser() → Userinfo() to fetch the wrong user's identity claims.
The same pattern exists in all three implementations:
- github_oauth_service.go lines 34–39, 77, 86–99
- google_oauth_service.go lines 22–27, 65, 73–87
PoC
Race scenario (two concurrent OAuth callbacks):
- User A and User B both click "Login with GitHub" on the same tinyauth instance
- Both are redirected to GitHub, authorize, and GitHub redirects both back with authorization codes
- Both callbacks arrive at tinyauth nearly simultaneously:
Timeline:
t0: Request A → service.VerifyCode(codeA) → singleton.token = tokenA
t1: Request B → service.VerifyCode(codeB) → singleton.token = tokenB (overwrites tokenA)
t2: Request A → broker.GetUser("github") → Userinfo() reads singleton.token = tokenB
t3: Request A receives User B's identity (email, name, groups)
User A now has a tinyauth session with User B's email, gaining access to all resources User B is authorized for via tinyauth's ACL.
PKCE verifier DoS variant: Even with PKCE, concurrent oauthURLHandler calls overwrite the verifier field, causing VerifyCode() to send the wrong verifier to the OAuth provider, which rejects the exchange.
Static verification: Run Go's race detector on a test that calls VerifyCode and Userinfo concurrently on the same service instance — the -race flag will flag data races on the token and verifier fields.
Go race detector confirmation: Running a concurrent test with go test -race on the singleton service detects 4 data races on the token and verifier fields. Without the race detector, measured token overwrite rate is 99.9% (9,985/10,000 iterations).
Test environment: tinyauth v5.0.4, commit 592b7ded, Go race detector + source code analysis
Impact
An attacker who times their OAuth callback to race with a victim's callback can obtain a tinyauth session with the victim's identity. This grants unauthorized access to all resources the victim is permitted to access through tinyauth's ACL system. The probability of collision increases with concurrent OAuth traffic.
The PKCE verifier overwrite additionally causes a denial-of-service: concurrent OAuth logins for the same provider reliably fail.
Suggested Fix
Pass verifier and token through method parameters or return values instead of storing them on the singleton:
func (generic *GenericOAuthService) VerifyCode(code string, verifier string) (*oauth2.Token, error) {
return generic.config.Exchange(generic.context, code, oauth2.VerifierOption(verifier))
}
func (generic *GenericOAuthService) Userinfo(token *oauth2.Token) (config.Claims, error) {
client := generic.config.Client(generic.context, token)
// ...
}
Store the PKCE verifier in the session/cookie associated with the OAuth state parameter, not on the service struct.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/steveiliop56/tinyauth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1-0.20260401140714-fc1d4f2082a5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33544"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T19:52:04Z",
"nvd_published_at": "2026-04-02T15:16:39Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAll three OAuth service implementations (`GenericOAuthService`, `GithubOAuthService`, `GoogleOAuthService`) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between `VerifyCode()` and `Userinfo()` causes one user to receive a session with the other user\u0027s identity.\n\n### Details\n\nThe [`OAuthBrokerService.GetService()`](https://github.com/steveiliop56/tinyauth/blob/592b7ded24959013f8af63ab9930254c752c8c8e/internal/service/oauth_broker_service.go#L70-L72) returns a single shared instance per provider for every request. The OAuth flow stores intermediate state as struct fields on this singleton:\n\n**Token storage** \u2014 [`generic_oauth_service.go` line 96](https://github.com/steveiliop56/tinyauth/blob/592b7ded24959013f8af63ab9930254c752c8c8e/internal/service/generic_oauth_service.go#L96):\n```go\ngeneric.token = token // Shared mutable field on singleton\n```\n\n**Verifier storage** \u2014 [`generic_oauth_service.go` line 81](https://github.com/steveiliop56/tinyauth/blob/592b7ded24959013f8af63ab9930254c752c8c8e/internal/service/generic_oauth_service.go#L81):\n```go\ngeneric.verifier = verifier // Shared mutable field on singleton\n```\n\nIn the callback handler [`oauth_controller.go` lines 136\u2013143](https://github.com/steveiliop56/tinyauth/blob/592b7ded24959013f8af63ab9930254c752c8c8e/internal/controller/oauth_controller.go#L136-L143), the code calls:\n```go\nerr = service.VerifyCode(code) // line 136 \u2014 stores token on singleton\n// ... race window ...\nuser, err := controller.broker.GetUser(req.Provider) // line 143 \u2014 reads token from singleton\n```\n\nBetween these two calls, a concurrent request\u0027s `VerifyCode()` can overwrite the `token` field, causing `GetUser()` \u2192 `Userinfo()` to fetch the **wrong user\u0027s** identity claims.\n\nThe same pattern exists in all three implementations:\n- [`github_oauth_service.go` lines 34\u201339, 77, 86\u201399](https://github.com/steveiliop56/tinyauth/blob/592b7ded24959013f8af63ab9930254c752c8c8e/internal/service/github_oauth_service.go#L34-L39)\n- [`google_oauth_service.go` lines 22\u201327, 65, 73\u201387](https://github.com/steveiliop56/tinyauth/blob/592b7ded24959013f8af63ab9930254c752c8c8e/internal/service/google_oauth_service.go#L22-L27)\n\n### PoC\n\n**Race scenario** (two concurrent OAuth callbacks):\n\n1. User A and User B both click \"Login with GitHub\" on the same tinyauth instance\n2. Both are redirected to GitHub, authorize, and GitHub redirects both back with authorization codes\n3. Both callbacks arrive at tinyauth nearly simultaneously:\n\n```\nTimeline:\n t0: Request A \u2192 service.VerifyCode(codeA) \u2192 singleton.token = tokenA\n t1: Request B \u2192 service.VerifyCode(codeB) \u2192 singleton.token = tokenB (overwrites tokenA)\n t2: Request A \u2192 broker.GetUser(\"github\") \u2192 Userinfo() reads singleton.token = tokenB\n t3: Request A receives User B\u0027s identity (email, name, groups)\n```\n\nUser A now has a tinyauth session with User B\u0027s email, gaining access to all resources User B is authorized for via tinyauth\u0027s ACL.\n\n**PKCE verifier DoS variant**: Even with PKCE, concurrent `oauthURLHandler` calls overwrite the `verifier` field, causing `VerifyCode()` to send the wrong verifier to the OAuth provider, which rejects the exchange.\n\n**Static verification**: Run Go\u0027s race detector on a test that calls `VerifyCode` and `Userinfo` concurrently on the same service instance \u2014 the `-race` flag will flag data races on the `token` and `verifier` fields.\n\n**Go race detector confirmation**: Running a concurrent test with `go test -race` on the singleton service detects **4 data races** on the `token` and `verifier` fields. Without the race detector, measured token overwrite rate is 99.9% (9,985/10,000 iterations).\n\n**Test environment**: tinyauth v5.0.4, commit `592b7ded`, Go race detector + source code analysis\n\n### Impact\n\nAn attacker who times their OAuth callback to race with a victim\u0027s callback can obtain a tinyauth session with the victim\u0027s identity. This grants unauthorized access to all resources the victim is permitted to access through tinyauth\u0027s ACL system. The probability of collision increases with concurrent OAuth traffic.\n\nThe PKCE verifier overwrite additionally causes a denial-of-service: concurrent OAuth logins for the same provider reliably fail.\n\n### Suggested Fix\n\nPass verifier and token through method parameters or return values instead of storing them on the singleton:\n\n```go\nfunc (generic *GenericOAuthService) VerifyCode(code string, verifier string) (*oauth2.Token, error) {\n return generic.config.Exchange(generic.context, code, oauth2.VerifierOption(verifier))\n}\n\nfunc (generic *GenericOAuthService) Userinfo(token *oauth2.Token) (config.Claims, error) {\n client := generic.config.Client(generic.context, token)\n // ...\n}\n```\n\nStore the PKCE verifier in the session/cookie associated with the OAuth `state` parameter, not on the service struct.",
"id": "GHSA-9q5m-jfc4-wc92",
"modified": "2026-04-06T17:18:24Z",
"published": "2026-04-01T19:52:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33544"
},
{
"type": "WEB",
"url": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803"
},
{
"type": "PACKAGE",
"url": "https://github.com/steveiliop56/tinyauth"
},
{
"type": "WEB",
"url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Tinyauth has OAuth account confusion via shared mutable state on singleton service instances"
}
GHSA-9Q85-MV98-F8HX
Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2024-04-04 06:02In bluetooth service, there is a possible out of bounds write due to race condition. This could lead to local denial of service with System execution privileges needed.
{
"affected": [],
"aliases": [
"CVE-2022-48451"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T09:15:10Z",
"severity": "MODERATE"
},
"details": "In bluetooth service, there is a possible out of bounds write due to race condition. This could lead to local denial of service with System execution privileges needed.",
"id": "GHSA-9q85-mv98-f8hx",
"modified": "2024-04-04T06:02:21Z",
"published": "2023-07-12T09:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48451"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1676902764208259073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QCJ-GPQG-C7CW
Vulnerability from github – Published: 2022-05-01 23:55 – Updated: 2022-05-01 23:55Race condition in (1) checkinstall 1.6.1 and (2) installwatch allows local users to overwrite arbitrary files and have other impacts via symlink and possibly other attacks on temporary working directories.
{
"affected": [],
"aliases": [
"CVE-2008-2958"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-07-01T22:41:00Z",
"severity": "MODERATE"
},
"details": "Race condition in (1) checkinstall 1.6.1 and (2) installwatch allows local users to overwrite arbitrary files and have other impacts via symlink and possibly other attacks on temporary working directories.",
"id": "GHSA-9qcj-gpqg-c7cw",
"modified": "2022-05-01T23:55:07Z",
"published": "2022-05-01T23:55:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2958"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43440"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488140"
},
{
"type": "WEB",
"url": "http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-June/001672.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/30873"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9QJG-WX3M-W8J2
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-64661"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T18:16:05Z",
"severity": "HIGH"
},
"details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows Shell allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-9qjg-wx3m-w8j2",
"modified": "2025-12-09T18:30:47Z",
"published": "2025-12-09T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64661"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64661"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.