CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2907 vulnerabilities reference this CWE, most recent first.
GHSA-C88G-QXQF-4VRH
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2025-01-16 21:30Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.
{
"affected": [],
"aliases": [
"CVE-2013-1275"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-02-13T12:04:00Z",
"severity": "MODERATE"
},
"details": "Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.",
"id": "GHSA-c88g-qxqf-4vrh",
"modified": "2025-01-16T21:30:54Z",
"published": "2022-05-13T01:15:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1275"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-016"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16399"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA13-043B.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C898-7QPG-FW83
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-04-23 21:31In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix race in cpumap on PREEMPT_RT
On PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU.
The original code assumes bq_enqueue() and __cpu_map_flush() run atomically with respect to each other on the same CPU, relying on local_bh_disable() to prevent preemption. However, on PREEMPT_RT, local_bh_disable() only calls migrate_disable() (when PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable preemption, which allows CFS scheduling to preempt a task during bq_flush_to_queue(), enabling another task on the same CPU to enter bq_enqueue() and operate on the same per-CPU bq concurrently.
This leads to several races:
-
Double __list_del_clearprev(): after bq->count is reset in bq_flush_to_queue(), a preempting task can call bq_enqueue() -> bq_flush_to_queue() on the same bq when bq->count reaches CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev() on the same bq->flush_node, the second call dereferences the prev pointer that was already set to NULL by the first.
-
bq->count and bq->q[] races: concurrent bq_enqueue() can corrupt the packet queue while bq_flush_to_queue() is processing it.
The race between task A (__cpu_map_flush -> bq_flush_to_queue) and task B (bq_enqueue -> bq_flush_to_queue) on the same CPU:
Task A (xdp_do_flush) Task B (cpu_map_enqueue) ---------------------- ------------------------ bq_flush_to_queue(bq) spin_lock(&q->producer_lock) / flush bq->q[] to ptr_ring / bq->count = 0 spin_unlock(&q->producer_lock) bq_enqueue(rcpu, xdpf) <-- CFS preempts Task A --> bq->q[bq->count++] = xdpf / ... more enqueues until full ... / bq_flush_to_queue(bq) spin_lock(&q->producer_lock) / flush to ptr_ring / spin_unlock(&q->producer_lock) __list_del_clearprev(flush_node) / sets flush_node.prev = NULL / <-- Task A resumes --> __list_del_clearprev(flush_node) flush_node.prev->next = ... / prev is NULL -> kernel oops /
Fix this by adding a local_lock_t to xdp_bulk_queue and acquiring it in bq_enqueue() and __cpu_map_flush(). These paths already run under local_bh_disable(), so use local_lock_nested_bh() which on non-RT is a pure annotation with no overhead, and on PREEMPT_RT provides a per-CPU sleeping lock that serializes access to the bq.
To reproduce, insert an mdelay(100) between bq->count = 0 and __list_del_clearprev() in bq_flush_to_queue(), then run reproducer provided by syzkaller.
{
"affected": [],
"aliases": [
"CVE-2026-23342"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:32Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix race in cpumap on PREEMPT_RT\n\nOn PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed\nconcurrently by multiple preemptible tasks on the same CPU.\n\nThe original code assumes bq_enqueue() and __cpu_map_flush() run\natomically with respect to each other on the same CPU, relying on\nlocal_bh_disable() to prevent preemption. However, on PREEMPT_RT,\nlocal_bh_disable() only calls migrate_disable() (when\nPREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable\npreemption, which allows CFS scheduling to preempt a task during\nbq_flush_to_queue(), enabling another task on the same CPU to enter\nbq_enqueue() and operate on the same per-CPU bq concurrently.\n\nThis leads to several races:\n\n1. Double __list_del_clearprev(): after bq-\u003ecount is reset in\n bq_flush_to_queue(), a preempting task can call bq_enqueue() -\u003e\n bq_flush_to_queue() on the same bq when bq-\u003ecount reaches\n CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev()\n on the same bq-\u003eflush_node, the second call dereferences the\n prev pointer that was already set to NULL by the first.\n\n2. bq-\u003ecount and bq-\u003eq[] races: concurrent bq_enqueue() can corrupt\n the packet queue while bq_flush_to_queue() is processing it.\n\nThe race between task A (__cpu_map_flush -\u003e bq_flush_to_queue) and\ntask B (bq_enqueue -\u003e bq_flush_to_queue) on the same CPU:\n\n Task A (xdp_do_flush) Task B (cpu_map_enqueue)\n ---------------------- ------------------------\n bq_flush_to_queue(bq)\n spin_lock(\u0026q-\u003eproducer_lock)\n /* flush bq-\u003eq[] to ptr_ring */\n bq-\u003ecount = 0\n spin_unlock(\u0026q-\u003eproducer_lock)\n bq_enqueue(rcpu, xdpf)\n \u003c-- CFS preempts Task A --\u003e bq-\u003eq[bq-\u003ecount++] = xdpf\n /* ... more enqueues until full ... */\n bq_flush_to_queue(bq)\n spin_lock(\u0026q-\u003eproducer_lock)\n /* flush to ptr_ring */\n spin_unlock(\u0026q-\u003eproducer_lock)\n __list_del_clearprev(flush_node)\n /* sets flush_node.prev = NULL */\n \u003c-- Task A resumes --\u003e\n __list_del_clearprev(flush_node)\n flush_node.prev-\u003enext = ...\n /* prev is NULL -\u003e kernel oops */\n\nFix this by adding a local_lock_t to xdp_bulk_queue and acquiring it\nin bq_enqueue() and __cpu_map_flush(). These paths already run under\nlocal_bh_disable(), so use local_lock_nested_bh() which on non-RT is\na pure annotation with no overhead, and on PREEMPT_RT provides a\nper-CPU sleeping lock that serializes access to the bq.\n\nTo reproduce, insert an mdelay(100) between bq-\u003ecount = 0 and\n__list_del_clearprev() in bq_flush_to_queue(), then run reproducer\nprovided by syzkaller.",
"id": "GHSA-c898-7qpg-fw83",
"modified": "2026-04-23T21:31:18Z",
"published": "2026-03-25T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23342"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8CV-8GR5-5V2W
Vulnerability from github – Published: 2023-05-27 00:30 – Updated: 2024-02-01 03:30There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.
{
"affected": [],
"aliases": [
"CVE-2023-2898"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-26T22:15:14Z",
"severity": "MODERATE"
},
"details": "There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.",
"id": "GHSA-c8cv-8gr5-5v2w",
"modified": "2024-02-01T03:30:22Z",
"published": "2023-05-27T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2898"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-chao%40kernel.org"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-chao@kernel.org"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230929-0002"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5480"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5492"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8HJ-7V4H-6CCV
Vulnerability from github – Published: 2023-05-08 21:31 – Updated: 2024-04-04 03:52This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A remote user may be able to cause unexpected app termination or arbitrary code execution
{
"affected": [],
"aliases": [
"CVE-2023-28201"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-08T20:15:19Z",
"severity": "CRITICAL"
},
"details": "This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A remote user may be able to cause unexpected app termination or arbitrary code execution",
"id": "GHSA-c8hj-7v4h-6ccv",
"modified": "2024-04-04T03:52:34Z",
"published": "2023-05-08T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28201"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213670"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213671"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213673"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213674"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213676"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213674"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8JC-4XGP-98R9
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 21:31In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Flush exception handling work when RPM level is zero
Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0.
When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash.
Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence.
{
"affected": [],
"aliases": [
"CVE-2026-43275"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Flush exception handling work when RPM level is zero\n\nEnsure that the exception event handling work is explicitly flushed during\nsuspend when the runtime power management level is set to UFS_PM_LVL_0.\n\nWhen the RPM level is zero, the device power mode and link state both\nremain active. Previously, the UFS core driver bypassed flushing exception\nevent handling jobs in this configuration. This created a race condition\nwhere the driver could attempt to access the host controller to handle an\nexception after the system had already entered a deep power-down state,\nresulting in a system crash.\n\nExplicitly flush this work and disable auto BKOPs before the suspend\ncallback proceeds. This guarantees that pending exception tasks complete\nand prevents illegal hardware access during the power-down sequence.",
"id": "GHSA-c8jc-4xgp-98r9",
"modified": "2026-05-08T21:31:21Z",
"published": "2026-05-06T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43275"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d186731bc335cc049d4e57ab9f563cfab95593e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78d8e2d6352e8317686ee3a44811ac14c415a57d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aa8d68d97c7f0ef966e51afc17fdbdc372700edf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aac2fee7513dd25042a616f86a1469b4858d2c5c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab71c146c135f9af1614ef0fc29a0a3b84f1a373"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d5c3a1a13f97355c397f9439d79cb04b182958a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8ef441811ec413717f188f63d99182f30f0f08e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8QW-H3F6-FV63
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2025-12-18 00:34OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
{
"affected": [],
"aliases": [
"CVE-2018-15473"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-17T19:29:00Z",
"severity": "MODERATE"
},
"details": "OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.",
"id": "GHSA-c8qw-h3f6-fv63",
"modified": "2025-12-18T00:34:04Z",
"published": "2022-05-13T01:19:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15473"
},
{
"type": "WEB",
"url": "https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0711"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2143"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/906236"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00022.html"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0011"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201810-03"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20181101-0001"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3809-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4280"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45210"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45233"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45939"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2018/08/15/5"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105140"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041487"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C8W8-4F3F-5V3J
Vulnerability from github – Published: 2022-03-05 00:00 – Updated: 2022-03-18 00:01A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2021-3640"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-03T23:15:00Z",
"severity": "HIGH"
},
"details": "A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.",
"id": "GHSA-c8w8-4f3f-5v3j",
"modified": "2022-03-18T00:01:30Z",
"published": "2022-03-05T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3640"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/99c23da0eed4fd20cae8243f2b51e10e66aa0951"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:7444"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:7683"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:7933"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8267"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-3640"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1980646"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/bluetooth/sco.c?h=v5.16\u0026id=99c23da0eed4fd20cae8243f2b51e10e66aa0951"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"
},
{
"type": "WEB",
"url": "https://lkml.org/lkml/2021/8/28/238"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220419-0003"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2021-3640"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5096"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/07/22/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8WJ-435X-F2CC
Vulnerability from github – Published: 2023-05-26 21:30 – Updated: 2024-04-04 04:21A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm() and siglongjmp(). When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.
{
"affected": [],
"aliases": [
"CVE-2023-28320"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-26T21:15:15Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability exists in curl \u003cv8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.",
"id": "GHSA-c8wj-435x-f2cc",
"modified": "2024-04-04T04:21:32Z",
"published": "2023-05-26T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28320"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1929597"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-12"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230609-0009"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213843"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213844"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213845"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jul/47"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jul/48"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jul/52"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C96V-VVF3-2P7R
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-04-02 15:31In the Linux kernel, the following vulnerability has been resolved:
tls: Fix race condition in tls_sw_cancel_work_tx()
This issue was discovered during a code audit.
After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object.
The following is a simple race scenario:
cpu0 cpu1
tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0);
To prevent this race condition, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
{
"affected": [],
"aliases": [
"CVE-2026-23240"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:13Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Fix race condition in tls_sw_cancel_work_tx()\n\nThis issue was discovered during a code audit.\n\nAfter cancel_delayed_work_sync() is called from tls_sk_proto_close(),\ntx_work_handler() can still be scheduled from paths such as the\nDelayed ACK handler or ksoftirqd.\nAs a result, the tx_work_handler() worker may dereference a freed\nTLS object.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\ntls_sk_proto_close()\n tls_sw_cancel_work_tx()\n tls_write_space()\n tls_sw_write_space()\n if (!test_and_set_bit(BIT_TX_SCHEDULED, \u0026tx_ctx-\u003etx_bitmask))\n set_bit(BIT_TX_SCHEDULED, \u0026ctx-\u003etx_bitmask);\n cancel_delayed_work_sync(\u0026ctx-\u003etx_work.work);\n schedule_delayed_work(\u0026tx_ctx-\u003etx_work.work, 0);\n\nTo prevent this race condition, cancel_delayed_work_sync() is\nreplaced with disable_delayed_work_sync().",
"id": "GHSA-c96v-vvf3-2p7r",
"modified": "2026-04-02T15:31:35Z",
"published": "2026-03-10T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23240"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/17153f154f80be2b47ebf52840f2d8f724eb2f3b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7bb09315f93dce6acc54bf59e5a95ba7365c2be4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/854cd32bc74fe573353095e90958490e4e4d641b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a5de36d6cee74a92c1a21b260bc507e64bc451de"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C97P-79CX-VQH9
Vulnerability from github – Published: 2022-05-14 02:50 – Updated: 2025-04-20 03:40Race condition in the bindBackupAgent method in the ActivityManagerService in Android 4.4.4 allows local users with adb shell access to execute arbitrary code or any valid package as system by running "pm install" with the target apk, and simultaneously running a crafted script to process logcat's output looking for a dexopt line, which once found should execute bindBackupAgent with the uid member of the ApplicationInfo parameter set to 1000.
{
"affected": [],
"aliases": [
"CVE-2014-7953"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-07T17:29:00Z",
"severity": "HIGH"
},
"details": "Race condition in the bindBackupAgent method in the ActivityManagerService in Android 4.4.4 allows local users with adb shell access to execute arbitrary code or any valid package as system by running \"pm install\" with the target apk, and simultaneously running a crafted script to process logcat\u0027s output looking for a dexopt line, which once found should execute bindBackupAgent with the uid member of the ApplicationInfo parameter set to 1000.",
"id": "GHSA-c97p-79cx-vqh9",
"modified": "2025-04-20T03:40:26Z",
"published": "2022-05-14T02:50:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7953"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/a8f6d1b%5E!"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/a8f6d1b%5E%21"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2015/Apr/52"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/535296/100/1100/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74213"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.