Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2908 vulnerabilities reference this CWE, most recent first.

GHSA-RV9W-MXPP-HWHJ

Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-03-17 00:03
VLAI
Details

.A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3609"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-03T19:15:00Z",
    "severity": "HIGH"
  },
  "details": ".A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.",
  "id": "GHSA-rv9w-mxpp-hwhj",
  "modified": "2022-03-17T00:03:44Z",
  "published": "2022-03-04T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3609"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/d5f9023fa61ee8b94f37a93f08e94b136cf1e463"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3044"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3057"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3088"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3235"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3363"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3375"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3380"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3442"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3444"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2021-3609"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220419-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/06/19/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVJ4-Q8Q5-8GRF

Vulnerability from github – Published: 2024-06-20 16:20 – Updated: 2024-06-20 16:20
VLAI
Summary
ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
Details

Impact

There is a vulnerability in Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

References

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.5
  • https://github.com/traefik/traefik/releases/tag/v3.0.3

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-20T16:20:25Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThere is a vulnerability in [Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2024-35255).\n\n### References\n\n- [CVE-2024-35255](https://nvd.nist.gov/vuln/detail/CVE-2024-35255)\n\n### Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.5\n- https://github.com/traefik/traefik/releases/tag/v3.0.3\n\n### Workarounds\n\nNo workaround.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
  "id": "GHSA-rvj4-q8q5-8grf",
  "modified": "2024-06-20T16:20:25Z",
  "published": "2024-06-20T16:20:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-rvj4-q8q5-8grf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.0.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability"
}

GHSA-RVMF-QFPG-9QGJ

Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.",
  "id": "GHSA-rvmf-qfpg-9qgj",
  "modified": "2022-07-13T00:01:41Z",
  "published": "2021-12-09T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41025"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-21-130"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVQ6-RPM5-73FG

Vulnerability from github – Published: 2022-05-14 02:42 – Updated: 2022-05-14 02:42
VLAI
Details

Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-11-17T16:00:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.",
  "id": "GHSA-rvq6-rpm5-73fg",
  "modified": "2022-05-14T02:42:51Z",
  "published": "2022-05-14T02:42:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3864"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2010:0888"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2010-3864"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=649304"
    },
    {
      "type": "WEB",
      "url": "https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html"
    },
    {
      "type": "WEB",
      "url": "https://rhn.redhat.com/errata/RHSA-2010-0888.html"
    },
    {
      "type": "WEB",
      "url": "http://blogs.sun.com/security/entry/cve_2010_3864_race_condition"
    },
    {
      "type": "WEB",
      "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051170.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051237.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051255.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=129916880600544\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=130497251507577\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=132828103218869\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://openssl.org/news/secadv_20101116.txt"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42241"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42243"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42309"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42336"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42352"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42397"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42413"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43312"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/44269"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/57353"
    },
    {
      "type": "WEB",
      "url": "http://security.FreeBSD.org/advisories/FreeBSD-SA-10:10.openssl.asc"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1024743"
    },
    {
      "type": "WEB",
      "url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2010\u0026m=slackware-security.668793"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4723"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564"
    },
    {
      "type": "WEB",
      "url": "http://www.adobe.com/support/security/bulletins/apsb11-11.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2125"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/737740"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/516397/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/3041"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/3077"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/3097"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/3121"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RVQF-8MP6-8QJG

Vulnerability from github – Published: 2026-04-22 03:31 – Updated: 2026-04-22 03:31
VLAI
Details

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T03:16:01Z",
    "severity": "HIGH"
  },
  "details": "OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.",
  "id": "GHSA-rvqf-8mp6-8qjg",
  "modified": "2026-04-22T03:31:36Z",
  "published": "2026-04-22T03:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41458"
    },
    {
      "type": "WEB",
      "url": "https://github.com/owntone/owntone-server/pull/1980"
    },
    {
      "type": "WEB",
      "url": "https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RVR2-R3PV-5M4P

Vulnerability from github – Published: 2026-01-27 00:59 – Updated: 2026-01-27 00:59
VLAI
Summary
oneshot has potential Use After Free when used asynchronously
Details

There is a race condition that can lead to a use-after-free if a oneshot::Receiver is polled but then dropped instead of polled to completion. This could happen if the receiver future was cancelled while receiving, for example by being wrapped in a timeout future or similar.

When the Receiver is polled (Future::poll) it writes a waker to the channel and sets it to the RECEIVING state. If the Receiver was then dropped (instead of polled to completion), the Drop implementation on Receiver unconditionally swapped the channel state to DISCONNECTED and only after doing so it read back its waker from the heap allocation and dropped it. The problem is that the DISCONNECTED state could be observed by the Sender, which would lead to it deallocating the channel heap memory. If the Sender manage to free the channel before the Receiver managed to proceed to dropping the waker, then the Receiver would read from the freed channel memory (Use After Free).

The fix was submitted in https://github.com/faern/oneshot/pull/74 and published as part of oneshot version 0.1.12.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "oneshot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-27T00:59:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "There is a race condition that can lead to a use-after-free if a `oneshot::Receiver` is polled but then dropped instead of polled to completion. This could happen if the receiver future was cancelled while receiving, for example by being wrapped in a timeout future or similar.\n\nWhen the `Receiver` is polled (`Future::poll`) it writes a waker to the channel and sets it to the `RECEIVING` state. If the `Receiver` was then dropped (instead of polled to completion), the `Drop` implementation on `Receiver` unconditionally swapped the channel state to `DISCONNECTED` and only after doing so it read back its waker from the heap allocation and dropped it. The problem is that the `DISCONNECTED` state could be observed by the `Sender`, which would lead to it deallocating the channel heap memory. If the `Sender` manage to free the channel before the `Receiver` managed to proceed to dropping the waker, then the `Receiver` would read from the freed channel memory (Use After Free).\n\nThe fix was submitted in https://github.com/faern/oneshot/pull/74 and published as part of `oneshot` version `0.1.12`.",
  "id": "GHSA-rvr2-r3pv-5m4p",
  "modified": "2026-01-27T00:59:05Z",
  "published": "2026-01-27T00:59:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faern/oneshot/issues/73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustsec/advisory-db/pull/2600"
    },
    {
      "type": "WEB",
      "url": "https://github.com/faern/oneshot/commit/d1a1506010bc48962634807d0dcca682af4f50ba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faern/oneshot"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0005.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "oneshot has potential Use After Free when used asynchronously"
}

GHSA-RW8F-7P48-8M3H

Vulnerability from github – Published: 2022-09-08 00:00 – Updated: 2022-09-14 00:00
VLAI
Details

A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-07T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3.",
  "id": "GHSA-rw8f-7p48-8m3h",
  "modified": "2022-09-14T00:00:41Z",
  "published": "2022-09-08T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31251"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1201674"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RW9R-WQX2-72F7

Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2025-09-17 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bonding: fix oops during rmmod

"rmmod bonding" causes an oops ever since commit cc317ea3d927 ("bonding: remove redundant NULL check in debugfs function"). Here are the relevant functions being called:

bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); bonding_debug_root = NULL; <--------- SET TO NULL HERE bond_netlink_fini() rtnl_link_unregister() __rtnl_link_unregister() unregister_netdevice_many_notify() bond_uninit() bond_debug_unregister() (commit removed check for bonding_debug_root == NULL) debugfs_remove() simple_recursive_removal() down_write() -> OOPS

However, reverting the bad commit does not solve the problem completely because the original code contains a race that could cause the same oops, although it was much less likely to be triggered unintentionally:

CPU1 rmmod bonding bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root);

CPU2 echo -bond0 > /sys/class/net/bonding_masters bond_uninit() bond_debug_unregister() if (!bonding_debug_root)

CPU1 bonding_debug_root = NULL;

So do NOT revert the bad commit (since the removed checks were racy anyway), and instead change the order of actions taken during module removal. The same oops can also happen if there is an error during module init, so apply the same fix there.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-25T15:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix oops during rmmod\n\n\"rmmod bonding\" causes an oops ever since commit cc317ea3d927 (\"bonding:\nremove redundant NULL check in debugfs function\").  Here are the relevant\nfunctions being called:\n\nbonding_exit()\n  bond_destroy_debugfs()\n    debugfs_remove_recursive(bonding_debug_root);\n    bonding_debug_root = NULL; \u003c--------- SET TO NULL HERE\n  bond_netlink_fini()\n    rtnl_link_unregister()\n      __rtnl_link_unregister()\n        unregister_netdevice_many_notify()\n          bond_uninit()\n            bond_debug_unregister()\n              (commit removed check for bonding_debug_root == NULL)\n              debugfs_remove()\n              simple_recursive_removal()\n                down_write() -\u003e OOPS\n\nHowever, reverting the bad commit does not solve the problem completely\nbecause the original code contains a race that could cause the same\noops, although it was much less likely to be triggered unintentionally:\n\nCPU1\n  rmmod bonding\n    bonding_exit()\n      bond_destroy_debugfs()\n        debugfs_remove_recursive(bonding_debug_root);\n\nCPU2\n  echo -bond0 \u003e /sys/class/net/bonding_masters\n    bond_uninit()\n      bond_debug_unregister()\n        if (!bonding_debug_root)\n\nCPU1\n        bonding_debug_root = NULL;\n\nSo do NOT revert the bad commit (since the removed checks were racy\nanyway), and instead change the order of actions taken during module\nremoval.  The same oops can also happen if there is an error during\nmodule init, so apply the same fix there.",
  "id": "GHSA-rw9r-wqx2-72f7",
  "modified": "2025-09-17T18:31:15Z",
  "published": "2024-06-25T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39296"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a45835a0bb6ef7d5ddbc0714dd760de979cb6ece"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf48aee81103ca06d09d73d33fb72f1191069aa6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f07224c16678a8af54ddc059b3d2d51885d7f35e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWCH-4JCH-MJX7

Vulnerability from github – Published: 2022-05-14 02:44 – Updated: 2022-05-14 02:44
VLAI
Details

transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-06-07T17:12:00Z",
    "severity": "MODERATE"
  },
  "details": "transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.",
  "id": "GHSA-rwch-4jch-mjx7",
  "modified": "2022-05-14T02:44:33Z",
  "published": "2022-05-14T02:44:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2024"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=600097"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/59042"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0079.html"
    },
    {
      "type": "WEB",
      "url": "http://bugs.exim.org/show_bug.cgi?id=989"
    },
    {
      "type": "WEB",
      "url": "http://lists.exim.org/lurker/message/20100524.175925.9a69f755.en.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042587.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042613.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/40019"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/40123"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43243"
    },
    {
      "type": "WEB",
      "url": "http://vcs.exim.org/viewvc/exim/exim-doc/doc-txt/ChangeLog?view=markup\u0026pathrev=exim-4_72_RC2"
    },
    {
      "type": "WEB",
      "url": "http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.25\u0026r2=1.26"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/511653/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/40454"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1060-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/1402"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RWCR-RPCC-3G9M

Vulnerability from github – Published: 2026-03-26 18:23 – Updated: 2026-03-27 21:49
VLAI
Summary
elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition
Details

Impact

This vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol.

The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller.

In high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B.

This may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide "valid-looking" yet entirely incorrect and private data to the wrong session.

Patches

fixed in v3.1.4

Resources

https://github.com/revelrylabs/elixir-nodejs/issues/100

https://github.com/revelrylabs/elixir-nodejs/pull/105

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:23:01Z",
    "nvd_published_at": "2026-03-27T20:16:34Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol.\n\nThe lack of request-response correlation creates a \"stale response\" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller.\n\nIn high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B.\n\nThis may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide \"valid-looking\" yet entirely incorrect and private data to the wrong session.\n\n### Patches\n\nfixed in v3.1.4\n\n### Resources\nhttps://github.com/revelrylabs/elixir-nodejs/issues/100\n\nhttps://github.com/revelrylabs/elixir-nodejs/pull/105",
  "id": "GHSA-rwcr-rpcc-3g9m",
  "modified": "2026-03-27T21:49:01Z",
  "published": "2026-03-26T18:23:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/revelrylabs/elixir-nodejs/security/advisories/GHSA-rwcr-rpcc-3g9m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33872"
    },
    {
      "type": "WEB",
      "url": "https://github.com/revelrylabs/elixir-nodejs/issues/100"
    },
    {
      "type": "WEB",
      "url": "https://github.com/revelrylabs/elixir-nodejs/pull/105"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/revelrylabs/elixir-nodejs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/revelrylabs/elixir-nodejs/releases/tag/v3.1.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition"
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.