CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2907 vulnerabilities reference this CWE, most recent first.
GHSA-CV34-V4CF-53PQ
Vulnerability from github – Published: 2023-04-24 06:31 – Updated: 2025-11-04 00:30An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.
{
"affected": [],
"aliases": [
"CVE-2023-31083"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-24T06:15:07Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu-\u003eproto is set. A NULL pointer dereference may occur.",
"id": "GHSA-cv34-v4cf-53pq",
"modified": "2025-11-04T00:30:37Z",
"published": "2023-04-24T06:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1210780"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9c33663af9ad115f90c076a1828129a3fbadea98"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g%40mail.gmail.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230929-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CV5F-F45R-4CQF
Vulnerability from github – Published: 2024-03-06 09:30 – Updated: 2025-02-14 18:30In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Add mutex lock in control vblank irq
Add a mutex lock to control vblank irq to synchronize vblank enable/disable operations happening from different threads to prevent race conditions while registering/unregistering the vblank irq callback.
v4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a parameter of dpu_encoder_phys. -Switch from atomic refcnt to a simple int counter as mutex has now been added v3: Mistakenly did not change wording in last version. It is done now. v2: Slightly changed wording of commit message
Patchwork: https://patchwork.freedesktop.org/patch/571854/
{
"affected": [],
"aliases": [
"CVE-2023-52586"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-06T07:15:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/",
"id": "GHSA-cv5f-f45r-4cqf",
"modified": "2025-02-14T18:30:44Z",
"published": "2024-03-06T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52586"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CV7P-3H5M-XVWM
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2025-04-20 03:48In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges.
{
"affected": [],
"aliases": [
"CVE-2017-16001"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-06T17:29:00Z",
"severity": "HIGH"
},
"details": "In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges.",
"id": "GHSA-cv7p-3h5m-xvwm",
"modified": "2025-04-20T03:48:04Z",
"published": "2022-05-13T01:44:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16001"
},
{
"type": "WEB",
"url": "https://m4.rkw.io/blog/cve201716001-local-root-privesc-in-hashicorp-vagrantvmwarefusion-501.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43220"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CV8Q-MPVF-42H2
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2025-10-22 00:31Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1.
{
"affected": [],
"aliases": [
"CVE-2020-6819"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-24T16:15:00Z",
"severity": "MODERATE"
},
"details": "Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird \u003c 68.7.0, Firefox \u003c 74.0.1, and Firefox ESR \u003c 68.6.1.",
"id": "GHSA-cv8q-mpvf-42h2",
"modified": "2025-10-22T00:31:53Z",
"published": "2022-05-24T17:16:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6819"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1620818"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4335-1"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-6819"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-11"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CV9G-JFQ4-8WP6
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.
{
"affected": [],
"aliases": [
"CVE-2013-1259"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-02-13T12:04:00Z",
"severity": "MODERATE"
},
"details": "Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges, and consequently read the contents of arbitrary kernel memory locations, via a crafted application, a different vulnerability than other CVEs listed in MS13-016.",
"id": "GHSA-cv9g-jfq4-8wp6",
"modified": "2022-05-13T01:15:44Z",
"published": "2022-05-13T01:15:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1259"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-016"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16344"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA13-043B.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CV9M-PRXM-594H
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-11-18 21:32In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race between async reclaim worker and close_ctree()
Syzbot reported an assertion failure due to an attempt to add a delayed iput after we have set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info state:
WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420 Modules linked in: CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: btrfs-endio-write btrfs_work_helper RIP: 0010:btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420 Code: 4e ad 5d (...) RSP: 0018:ffffc9000213f780 EFLAGS: 00010293 RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00 RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000 RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001 R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100 FS: 0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: btrfs_put_ordered_extent+0x19f/0x470 fs/btrfs/ordered-data.c:635 btrfs_finish_one_ordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312 btrfs_work_helper+0x399/0xc20 fs/btrfs/async-thread.c:312 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
This can happen due to a race with the async reclaim worker like this:
1) The async metadata reclaim worker enters shrink_delalloc(), which calls btrfs_start_delalloc_roots() with an nr_pages argument that has a value less than LONG_MAX, and that in turn enters start_delalloc_inodes(), which sets the local variable 'full_flush' to false because wbc->nr_to_write is less than LONG_MAX;
2) There it finds inode X in a root's delalloc list, grabs a reference for inode X (with igrab()), and triggers writeback for it with filemap_fdatawrite_wbc(), which creates an ordered extent for inode X;
3) The unmount sequence starts from another task, we enter close_ctree() and we flush the workqueue fs_info->endio_write_workers, which waits for the ordered extent for inode X to complete and when dropping the last reference of the ordered extent, with btrfs_put_ordered_extent(), when we call btrfs_add_delayed_iput() we don't add the inode to the list of delayed iputs because it has a refcount of 2, so we decrement it to 1 and return;
4) Shortly after at close_ctree() we call btrfs_run_delayed_iputs() which runs all delayed iputs, and then we set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info state;
5) The async reclaim worker, after calling filemap_fdatawrite_wbc(), now calls btrfs_add_delayed_iput() for inode X and there we trigger an assertion failure since the fs_info state has the flag BTRFS_FS_STATE_NO_DELAYED_IPUT set.
Fix this by setting BTRFS_FS_STATE_NO_DELAYED_IPUT only after we wait for the async reclaim workers to finish, after we call cancel_work_sync() for them at close_ctree(), and by running delayed iputs after wait for the reclaim workers to finish and before setting the bit.
This race was recently introduced by commit 19e60b2a95f5 ("btrfs: add extra warning if delayed iput is added when it's not allowed"). Without the new validation at btrfs_add_delayed_iput(), ---truncated---
{
"affected": [],
"aliases": [
"CVE-2025-38358"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T13:15:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between async reclaim worker and close_ctree()\n\nSyzbot reported an assertion failure due to an attempt to add a delayed\niput after we have set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info\nstate:\n\n WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420\n Modules linked in:\n CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n Workqueue: btrfs-endio-write btrfs_work_helper\n RIP: 0010:btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420\n Code: 4e ad 5d (...)\n RSP: 0018:ffffc9000213f780 EFLAGS: 00010293\n RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00\n RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000\n RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c\n R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001\n R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100\n FS: 0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n btrfs_put_ordered_extent+0x19f/0x470 fs/btrfs/ordered-data.c:635\n btrfs_finish_one_ordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312\n btrfs_work_helper+0x399/0xc20 fs/btrfs/async-thread.c:312\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nThis can happen due to a race with the async reclaim worker like this:\n\n1) The async metadata reclaim worker enters shrink_delalloc(), which calls\n btrfs_start_delalloc_roots() with an nr_pages argument that has a value\n less than LONG_MAX, and that in turn enters start_delalloc_inodes(),\n which sets the local variable \u0027full_flush\u0027 to false because\n wbc-\u003enr_to_write is less than LONG_MAX;\n\n2) There it finds inode X in a root\u0027s delalloc list, grabs a reference for\n inode X (with igrab()), and triggers writeback for it with\n filemap_fdatawrite_wbc(), which creates an ordered extent for inode X;\n\n3) The unmount sequence starts from another task, we enter close_ctree()\n and we flush the workqueue fs_info-\u003eendio_write_workers, which waits\n for the ordered extent for inode X to complete and when dropping the\n last reference of the ordered extent, with btrfs_put_ordered_extent(),\n when we call btrfs_add_delayed_iput() we don\u0027t add the inode to the\n list of delayed iputs because it has a refcount of 2, so we decrement\n it to 1 and return;\n\n4) Shortly after at close_ctree() we call btrfs_run_delayed_iputs() which\n runs all delayed iputs, and then we set BTRFS_FS_STATE_NO_DELAYED_IPUT\n in the fs_info state;\n\n5) The async reclaim worker, after calling filemap_fdatawrite_wbc(), now\n calls btrfs_add_delayed_iput() for inode X and there we trigger an\n assertion failure since the fs_info state has the flag\n BTRFS_FS_STATE_NO_DELAYED_IPUT set.\n\nFix this by setting BTRFS_FS_STATE_NO_DELAYED_IPUT only after we wait for\nthe async reclaim workers to finish, after we call cancel_work_sync() for\nthem at close_ctree(), and by running delayed iputs after wait for the\nreclaim workers to finish and before setting the bit.\n\nThis race was recently introduced by commit 19e60b2a95f5 (\"btrfs: add\nextra warning if delayed iput is added when it\u0027s not allowed\"). Without\nthe new validation at btrfs_add_delayed_iput(), \n---truncated---",
"id": "GHSA-cv9m-prxm-594h",
"modified": "2025-11-18T21:32:29Z",
"published": "2025-07-25T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38358"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4693cda2c06039c875f2eef0123b22340c34bfa0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a26bf338cdad3643a6e7c3d78a172baadba15c1a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVFQ-G9VP-7RFJ
Vulnerability from github – Published: 2025-08-06 03:30 – Updated: 2025-08-06 03:30Race condition issue occurring in the physical page import process of the memory management module. Impact: Successful exploitation of this vulnerability may affect service integrity.
{
"affected": [],
"aliases": [
"CVE-2025-54629"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T03:15:26Z",
"severity": "MODERATE"
},
"details": "Race condition issue occurring in the physical page import process of the memory management module.\nImpact: Successful exploitation of this vulnerability may affect service integrity.",
"id": "GHSA-cvfq-g9vp-7rfj",
"modified": "2025-08-06T03:30:27Z",
"published": "2025-08-06T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54629"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVM4-P7MC-W25Q
Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-20918"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T18:16:17Z",
"severity": "HIGH"
},
"details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows Management Services allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-cvm4-p7mc-w25q",
"modified": "2026-01-13T18:31:10Z",
"published": "2026-01-13T18:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20918"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20918"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVPW-2W45-GM65
Vulnerability from github – Published: 2024-02-05 09:30 – Updated: 2024-06-27 15:30A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.
{
"affected": [],
"aliases": [
"CVE-2024-24861"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-05T08:15:45Z",
"severity": "LOW"
},
"details": "A race condition was found in the Linux kernel\u0027s media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n",
"id": "GHSA-cvpw-2w45-gm65",
"modified": "2024-06-27T15:30:37Z",
"published": "2024-02-05T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861"
},
{
"type": "WEB",
"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8150"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CVRV-X3HX-3392
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2025-53132"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T18:15:36Z",
"severity": "HIGH"
},
"details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows Win32K - GRFX allows an authorized attacker to elevate privileges over a network.",
"id": "GHSA-cvrv-x3hx-3392",
"modified": "2025-08-12T18:31:31Z",
"published": "2025-08-12T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53132"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53132"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.