Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2907 vulnerabilities reference this CWE, most recent first.

GHSA-2CJM-2GWV-M892

Vulnerability from github – Published: 2026-03-12 17:29 – Updated: 2026-03-13 13:36
VLAI
Summary
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
Details

Impact

Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy.

Deployments that configure multiple OAuth2 providers via the oauth2: true flag are affected.

Patches

The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated.

Workarounds

There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur.

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.6.0-alpha.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T17:29:49Z",
    "nvd_published_at": "2026-03-12T19:16:19Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nParse Server\u0027s built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider\u0027s token validation may execute using another provider\u0027s configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider\u0027s policy.\n\nDeployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected.\n\n### Patches\n\nThe fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider\u0027s configuration is isolated.\n\n### Workarounds\n\nThere is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37",
  "id": "GHSA-2cjm-2gwv-m892",
  "modified": "2026-03-13T13:36:09Z",
  "published": "2026-03-12T17:29:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32242"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.37"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Server\u0027s OAuth2 adapter shares mutable state across providers via singleton instance"
}

GHSA-2F8J-M7PX-V4P9

Vulnerability from github – Published: 2022-05-14 03:24 – Updated: 2022-05-14 03:24
VLAI
Details

In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, due to a race condition, a Use After Free condition can occur in the WLAN driver.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-03T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, due to a race condition, a Use After Free condition can occur in the WLAN driver.",
  "id": "GHSA-2f8j-m7px-v4p9",
  "modified": "2022-05-14T03:24:11Z",
  "published": "2022-05-14T03:24:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5826"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FF2-J84C-3HW4

Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39
VLAI
Details

Race condition in HAL layer while processing callback objects received from HIDL due to lack of synchronization between accessing objects in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-21T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in HAL layer while processing callback objects received from HIDL due to lack of synchronization between accessing objects in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
  "id": "GHSA-2ff2-j84c-3hw4",
  "modified": "2022-05-24T17:39:59Z",
  "published": "2022-05-24T17:39:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11152"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/december-2020-bulletin"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/december-2020-security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2FH4-CPV8-68HG

Vulnerability from github – Published: 2022-05-17 05:24 – Updated: 2024-03-21 03:33
VLAI
Details

** DISPUTED ** Race condition in Online Solutions Security Suite 1.5.14905.0 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-5170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-08-25T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "** DISPUTED ** Race condition in Online Solutions Security Suite 1.5.14905.0 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack.  NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute.",
  "id": "GHSA-2fh4-cpv8-68hg",
  "modified": "2024-03-21T03:33:10Z",
  "published": "2022-05-17T05:24:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5170"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2010-05/0026.html"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0066.html"
    },
    {
      "type": "WEB",
      "url": "http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk"
    },
    {
      "type": "WEB",
      "url": "http://matousec.com/info/advisories/khobe-8.0-earthquake-for-windows-desktop-security-software.php"
    },
    {
      "type": "WEB",
      "url": "http://matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php"
    },
    {
      "type": "WEB",
      "url": "http://www.f-secure.com/weblog/archives/00001949.html"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/67660"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/39924"
    },
    {
      "type": "WEB",
      "url": "http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2FW9-CXCH-QX5H

Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-16 18:31
VLAI
Details

Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T22:16:28Z",
    "severity": "MODERATE"
  },
  "details": "Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-2fw9-cxch-qx5h",
  "modified": "2026-04-16T18:31:21Z",
  "published": "2026-04-09T00:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5890"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/487259772"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FXM-8374-C95M

Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: swap: fix race between free_swap_and_cache() and swapoff()

There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map.

This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below).

Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache().

Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this):

--8<-----

__swap_entry_free() might be the last user and result in "count == SWAP_HAS_CACHE".

swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.

So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped().

Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries.

Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry.

Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.]

Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE

Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap().

__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);

What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()?

--8<-----

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T06:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven\u0027t been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn\u0027t present in get_swap_device()\nbecause it doesn\u0027t make sense in general due to the race between getting\nthe reference and swapoff.  So I\u0027ve added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8\u003c-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff-\u003etry_to_unuse() will stop as soon as soon as si-\u003einuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi-\u003einuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-\u003e count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-\u003e count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()-\u003efolio_free_swap()-\u003edelete_from_swap_cache()-\u003e\nput_swap_folio()-\u003efree_swap_slot()-\u003eswapcache_free_entries()-\u003e\nswap_entry_free()-\u003eswap_range_free()-\u003e\n...\nWRITE_ONCE(si-\u003einuse_pages, si-\u003einuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8\u003c-----",
  "id": "GHSA-2fxm-8374-c95m",
  "modified": "2026-05-12T12:31:43Z",
  "published": "2024-05-01T06:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G3V-RQ5J-M37F

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2026-02-10 18:30
VLAI
Details

Concurrent execution using shared resource with improper synchronization ('race condition') in Inbox COM Objects allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:16:11Z",
    "severity": "HIGH"
  },
  "details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Inbox COM Objects allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-2g3v-rq5j-m37f",
  "modified": "2026-02-10T18:30:32Z",
  "published": "2025-10-14T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59282"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59282"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-59282-detection-script-race-condition-in-microsoft-inbox-com-objects"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-59282-mitigation-script-race-condition-in-microsoft-inbox-com-objects"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G4X-FQ3J-CGQ4

Vulnerability from github – Published: 2026-05-12 15:08 – Updated: 2026-06-08 20:12
VLAI
Summary
Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)
Details

Summary

ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which processes POST-body parameters (dp) — is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter.

Severity

High (CVSS 3.1: 7.5)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  • Attack Vector: Network — server binds to 0.0.0.0:6664 by default; reachable by any network peer.
  • Attack Complexity: Low — the attacker controls both trigger conditions: the data field that populates the second stage's work queue, and the target URL they point at a reflective server they control.
  • Privileges Required: None — --api-key defaults to "", so no auth middleware is registered.
  • User Interaction: None.
  • Scope: Unchanged — a goroutine panic without a recover terminates the entire Go process; the impact stays within the dalfox process authority.
  • Confidentiality Impact: None.
  • Integrity Impact: None.
  • Availability Impact: High — the entire dalfox server process crashes, requiring manual restart. A single well-timed request is sufficient.

Note on PR #917: Commit 8a424d1 (fix: resolve data race and nil pointer panic in processParams) fixed two concurrent-safety bugs in processParams — a data race on paramResult.Chars and a nil pointer dereference on resp.Header. It did not fix the closed-channel panic reported here, which is a structural ordering bug in ParameterAnalysis itself, not inside processParams.

Affected Component

  • pkg/scanning/parameterAnalysis.goParameterAnalysis() (lines 436–448): results channel closed at line 438, then passed to second-stage processParams workers at line 445
  • pkg/scanning/parameterAnalysis.goprocessParams() (line 299): results <- paramResult panics when results is closed

CWE

  • CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') — channel lifecycle ordering error
  • CWE-404: Improper Resource Shutdown or Release

Description

Two-Stage Channel Lifecycle Ordering Error

ParameterAnalysis allocates a single results channel shared by both worker stages:

// pkg/scanning/parameterAnalysis.go:397-408
paramsQue := make(chan string, concurrency)
results := make(chan model.ParamResult, concurrency)   // ← single channel for both stages

go func() {
    for result := range results {   // consumer exits when results is closed
        mutex.Lock()
        params[result.Name] = result
        mutex.Unlock()
    }
}()

First stage (URL parameters in p):

// lines 410-437
for i := 0; i < concurrency; i++ {
    wgg.Add(1)
    go func() {
        processParams(target, paramsQue, results, options, rl, miningCheckerLine, pLog)
        wgg.Done()
    }()
}
// ... feed paramsQue ...
close(paramsQue)
wgg.Wait()
close(results)   // ← line 438: results is now closed; consumer goroutine exits

Second stage (POST-body parameters in dp):

// lines 440-448
var wggg sync.WaitGroup
paramsDataQue := make(chan string, concurrency)
for j := 0; j < concurrency; j++ {
    wggg.Add(1)
    go func() {
        processParams(target, paramsDataQue, results, options, rl, miningCheckerLine, pLog)
        //                                   ^^^^^^^ — same closed channel
        wggg.Done()
    }()
}

When a second-stage worker finds a reflected parameter, processParams sends to the closed channel:

// pkg/scanning/parameterAnalysis.go:299
results <- paramResult   // panic: send on closed channel

A Go runtime panic in a goroutine without a recover terminates the entire program. In server mode, this kills the dalfox API server process.

Trigger Conditions Are Both Attacker-Controlled

Condition 1 — dp is non-empty: dp (the POST-body parameter map) is populated in addParamsFromWordlistsetP whenever options.Data != "":

// parameterAnalysis.go:41-45
if options.Data != "" {
    if dp.Get(name) == "" {
        dp.Set(name, "")
    }
}

The attacker sets "data": "q=test" in the JSON body, which propagates through Initialize (lib/func.go:106). With "mining-dict": true, the entire GF-XSS wordlist (hundreds of parameters) flows into dp, ensuring the second stage has ample work.

Condition 2 — a parameter is reflected: processParams sends to results only when vrs (verified reflection) is true (line 252 → line 299). The attacker controls the target URL — they point it at a server they operate that reflects any query parameter, guaranteeing vrs = true on the first matching entry from the wordlist.

PR #917 Fixed Different Bugs

Commit 8a424d1 addressed: 1. Data race: concurrent append(paramResult.Chars, char) with no mutex → added charsMu sync.Mutex 2. Nil pointer: resp.Header accessed when resp == nil → added && resp != nil guard

Neither change touches the channel lifecycle in ParameterAnalysis. The closed-channel panic is independent and remains unpatched.

Proof of Concept

# Step 1 — Attacker-controlled reflective server
python3 - <<'PY'
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs
class H(BaseHTTPRequestHandler):
    def _h(self):
        qs = parse_qs(urlparse(self.path).query)
        n = int(self.headers.get('Content-Length', '0'))
        body = self.rfile.read(n).decode() if n else ''
        bq = parse_qs(body)
        v = qs.get('q', [''])[0] or bq.get('q', [''])[0]
        out = f'<html><body>{v}</body></html>'.encode()
        self.send_response(200)
        self.send_header('Content-Type', 'text/html')
        self.send_header('Content-Length', str(len(out)))
        self.end_headers()
        self.wfile.write(out)
    def do_GET(self): self._h()
    def do_POST(self): self._h()
    def log_message(self, *a): pass
HTTPServer(('127.0.0.1', 18083), H).serve_forever()
PY

# Step 2 — Start dalfox REST server (default: no API key)
go run . server --host 127.0.0.1 --port 16664 --type rest

# Step 3 — Single unauthenticated request terminates the server process
curl -s -X POST http://127.0.0.1:16664/scan \
  -H 'Content-Type: application/json' \
  --data '{
    "url": "http://127.0.0.1:18083/?q=test",
    "options": {
      "data": "q=test",
      "mining-dict": true,
      "use-headless": false,
      "worker": 1
    }
  }'

# Expected: dalfox process exits immediately with:
# goroutine N [running]:
# panic: send on closed channel
#   pkg/scanning/parameterAnalysis.go:299 +0x...

# Step 4 — Verify server is down
curl -s http://127.0.0.1:16664/health
# Expected: connection refused

No X-API-KEY header is required. The reflective server is attacker-controlled and guarantees the vrs = true condition that triggers the channel write.

Impact

  • Complete server process crash on a single unauthenticated POST request — no login, no API key, no special permissions required.
  • All in-flight scans are lost without results.
  • The server requires a manual restart; under automated process managers (systemd, Docker --restart=always) repeated triggering can create a denial-of-service loop.
  • The attack requires only network access to port 6664 and a reflective HTTP server reachable by the dalfox instance — both attacker-controlled conditions.

Recommended Remediation

Option 1: Allocate a fresh results channel for the second stage (preferred)

The simplest and most direct fix: give each stage its own channel and consumer. The second stage should not reuse a channel that was created and closed for the first stage.

// pkg/scanning/parameterAnalysis.go — replace the second stage block:

var wggg sync.WaitGroup
paramsDataQue := make(chan string, concurrency)
results2 := make(chan model.ParamResult, concurrency)   // fresh channel

go func() {
    for result := range results2 {
        mutex.Lock()
        params[result.Name] = result
        mutex.Unlock()
    }
}()

for j := 0; j < concurrency; j++ {
    wggg.Add(1)
    go func() {
        processParams(target, paramsDataQue, results2, options, rl, miningCheckerLine, pLog)
        wggg.Done()
    }()
}

// ... feed paramsDataQue ...
close(paramsDataQue)
wggg.Wait()
close(results2)   // close after all writers are done

Option 2: Merge both parameter maps before the single worker stage

Process p and dp entries through a single shared paramsQue and results, eliminating the two-stage design:

// Before the worker loop, merge dp into p (or into a unified queue):
for k := range dp {
    // feed to the same paramsQue along with p entries
}
// Then run a single close(paramsQue) → wgg.Wait() → close(results)

This is a more invasive refactor but removes the structural root cause. The current two-stage design is the fundamental source of the ordering bug.

Option 3: Add a recover in processParams goroutines (stopgap only)

Catching the panic prevents the process from crashing but does not fix the lost results or the channel invariant violation. Recommended only as a temporary defensive measure while the channel lifecycle is corrected:

go func() {
    defer func() {
        if r := recover(); r != nil {
            printing.DalLog("ERROR", fmt.Sprintf("processParams panic recovered: %v", r), options)
        }
        wggg.Done()
    }()
    processParams(target, paramsDataQue, results, options, rl, miningCheckerLine, pLog)
}()

Option 1 is the recommended primary fix. Option 3 should be combined with Option 1, not used as a substitute.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.12.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hahwul/dalfox/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hahwul/dalfox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-404"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:08:40Z",
    "nvd_published_at": "2026-05-27T18:16:25Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`ParameterAnalysis` in `pkg/scanning/parameterAnalysis.go` runs two sequential worker stages that both write to the same `results` channel. The channel is correctly closed after the first stage completes (`close(results)` at line 438), but the second stage \u2014 which processes POST-body parameters (`dp`) \u2014 is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, `processParams` executes `results \u003c- paramResult` on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever `options.Data != \"\"` (i.e., the attacker supplies the `data` field) and the target reflects at least one parameter.\n\n## Severity\n\n**High** (CVSS 3.1: 7.5)\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`\n\n- **Attack Vector:** Network \u2014 server binds to `0.0.0.0:6664` by default; reachable by any network peer.\n- **Attack Complexity:** Low \u2014 the attacker controls both trigger conditions: the `data` field that populates the second stage\u0027s work queue, and the target URL they point at a reflective server they control.\n- **Privileges Required:** None \u2014 `--api-key` defaults to `\"\"`, so no auth middleware is registered.\n- **User Interaction:** None.\n- **Scope:** Unchanged \u2014 a goroutine panic without a `recover` terminates the entire Go process; the impact stays within the dalfox process authority.\n- **Confidentiality Impact:** None.\n- **Integrity Impact:** None.\n- **Availability Impact:** High \u2014 the entire dalfox server process crashes, requiring manual restart. A single well-timed request is sufficient.\n\n**Note on PR #917**: Commit `8a424d1` (`fix: resolve data race and nil pointer panic in processParams`) fixed two concurrent-safety bugs in `processParams` \u2014 a data race on `paramResult.Chars` and a nil pointer dereference on `resp.Header`. It did **not** fix the closed-channel panic reported here, which is a structural ordering bug in `ParameterAnalysis` itself, not inside `processParams`.\n\n## Affected Component\n\n- `pkg/scanning/parameterAnalysis.go` \u2014 `ParameterAnalysis()` (lines 436\u2013448): `results` channel closed at line 438, then passed to second-stage `processParams` workers at line 445\n- `pkg/scanning/parameterAnalysis.go` \u2014 `processParams()` (line 299): `results \u003c- paramResult` panics when `results` is closed\n\n## CWE\n\n- **CWE-362**: Concurrent Execution Using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) \u2014 channel lifecycle ordering error\n- **CWE-404**: Improper Resource Shutdown or Release\n\n## Description\n\n### Two-Stage Channel Lifecycle Ordering Error\n\n`ParameterAnalysis` allocates a single `results` channel shared by both worker stages:\n\n```go\n// pkg/scanning/parameterAnalysis.go:397-408\nparamsQue := make(chan string, concurrency)\nresults := make(chan model.ParamResult, concurrency)   // \u2190 single channel for both stages\n\ngo func() {\n    for result := range results {   // consumer exits when results is closed\n        mutex.Lock()\n        params[result.Name] = result\n        mutex.Unlock()\n    }\n}()\n```\n\n**First stage** (URL parameters in `p`):\n\n```go\n// lines 410-437\nfor i := 0; i \u003c concurrency; i++ {\n    wgg.Add(1)\n    go func() {\n        processParams(target, paramsQue, results, options, rl, miningCheckerLine, pLog)\n        wgg.Done()\n    }()\n}\n// ... feed paramsQue ...\nclose(paramsQue)\nwgg.Wait()\nclose(results)   // \u2190 line 438: results is now closed; consumer goroutine exits\n```\n\n**Second stage** (POST-body parameters in `dp`):\n\n```go\n// lines 440-448\nvar wggg sync.WaitGroup\nparamsDataQue := make(chan string, concurrency)\nfor j := 0; j \u003c concurrency; j++ {\n    wggg.Add(1)\n    go func() {\n        processParams(target, paramsDataQue, results, options, rl, miningCheckerLine, pLog)\n        //                                   ^^^^^^^ \u2014 same closed channel\n        wggg.Done()\n    }()\n}\n```\n\nWhen a second-stage worker finds a reflected parameter, `processParams` sends to the closed channel:\n\n```go\n// pkg/scanning/parameterAnalysis.go:299\nresults \u003c- paramResult   // panic: send on closed channel\n```\n\nA Go runtime panic in a goroutine without a `recover` terminates the entire program. In server mode, this kills the dalfox API server process.\n\n### Trigger Conditions Are Both Attacker-Controlled\n\n**Condition 1 \u2014 `dp` is non-empty**: `dp` (the POST-body parameter map) is populated in `addParamsFromWordlist` \u2192 `setP` whenever `options.Data != \"\"`:\n\n```go\n// parameterAnalysis.go:41-45\nif options.Data != \"\" {\n    if dp.Get(name) == \"\" {\n        dp.Set(name, \"\")\n    }\n}\n```\n\nThe attacker sets `\"data\": \"q=test\"` in the JSON body, which propagates through `Initialize` (`lib/func.go:106`). With `\"mining-dict\": true`, the entire GF-XSS wordlist (hundreds of parameters) flows into `dp`, ensuring the second stage has ample work.\n\n**Condition 2 \u2014 a parameter is reflected**: `processParams` sends to `results` only when `vrs` (verified reflection) is true (line 252 \u2192 line 299). The attacker controls the target URL \u2014 they point it at a server they operate that reflects any query parameter, guaranteeing `vrs = true` on the first matching entry from the wordlist.\n\n### PR #917 Fixed Different Bugs\n\nCommit `8a424d1` addressed:\n1. Data race: concurrent `append(paramResult.Chars, char)` with no mutex \u2192 added `charsMu sync.Mutex`\n2. Nil pointer: `resp.Header` accessed when `resp == nil` \u2192 added `\u0026\u0026 resp != nil` guard\n\nNeither change touches the channel lifecycle in `ParameterAnalysis`. The closed-channel panic is independent and remains unpatched.\n\n## Proof of Concept\n\n```bash\n# Step 1 \u2014 Attacker-controlled reflective server\npython3 - \u003c\u003c\u0027PY\u0027\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nfrom urllib.parse import urlparse, parse_qs\nclass H(BaseHTTPRequestHandler):\n    def _h(self):\n        qs = parse_qs(urlparse(self.path).query)\n        n = int(self.headers.get(\u0027Content-Length\u0027, \u00270\u0027))\n        body = self.rfile.read(n).decode() if n else \u0027\u0027\n        bq = parse_qs(body)\n        v = qs.get(\u0027q\u0027, [\u0027\u0027])[0] or bq.get(\u0027q\u0027, [\u0027\u0027])[0]\n        out = f\u0027\u003chtml\u003e\u003cbody\u003e{v}\u003c/body\u003e\u003c/html\u003e\u0027.encode()\n        self.send_response(200)\n        self.send_header(\u0027Content-Type\u0027, \u0027text/html\u0027)\n        self.send_header(\u0027Content-Length\u0027, str(len(out)))\n        self.end_headers()\n        self.wfile.write(out)\n    def do_GET(self): self._h()\n    def do_POST(self): self._h()\n    def log_message(self, *a): pass\nHTTPServer((\u0027127.0.0.1\u0027, 18083), H).serve_forever()\nPY\n\n# Step 2 \u2014 Start dalfox REST server (default: no API key)\ngo run . server --host 127.0.0.1 --port 16664 --type rest\n\n# Step 3 \u2014 Single unauthenticated request terminates the server process\ncurl -s -X POST http://127.0.0.1:16664/scan \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\n    \"url\": \"http://127.0.0.1:18083/?q=test\",\n    \"options\": {\n      \"data\": \"q=test\",\n      \"mining-dict\": true,\n      \"use-headless\": false,\n      \"worker\": 1\n    }\n  }\u0027\n\n# Expected: dalfox process exits immediately with:\n# goroutine N [running]:\n# panic: send on closed channel\n#   pkg/scanning/parameterAnalysis.go:299 +0x...\n\n# Step 4 \u2014 Verify server is down\ncurl -s http://127.0.0.1:16664/health\n# Expected: connection refused\n```\n\nNo `X-API-KEY` header is required. The reflective server is attacker-controlled and guarantees the `vrs = true` condition that triggers the channel write.\n\n## Impact\n\n- **Complete server process crash** on a single unauthenticated POST request \u2014 no login, no API key, no special permissions required.\n- All in-flight scans are lost without results.\n- The server requires a manual restart; under automated process managers (systemd, Docker `--restart=always`) repeated triggering can create a denial-of-service loop.\n- The attack requires only network access to port 6664 and a reflective HTTP server reachable by the dalfox instance \u2014 both attacker-controlled conditions.\n\n## Recommended Remediation\n\n### Option 1: Allocate a fresh `results` channel for the second stage (preferred)\n\nThe simplest and most direct fix: give each stage its own channel and consumer. The second stage should not reuse a channel that was created and closed for the first stage.\n\n```go\n// pkg/scanning/parameterAnalysis.go \u2014 replace the second stage block:\n\nvar wggg sync.WaitGroup\nparamsDataQue := make(chan string, concurrency)\nresults2 := make(chan model.ParamResult, concurrency)   // fresh channel\n\ngo func() {\n    for result := range results2 {\n        mutex.Lock()\n        params[result.Name] = result\n        mutex.Unlock()\n    }\n}()\n\nfor j := 0; j \u003c concurrency; j++ {\n    wggg.Add(1)\n    go func() {\n        processParams(target, paramsDataQue, results2, options, rl, miningCheckerLine, pLog)\n        wggg.Done()\n    }()\n}\n\n// ... feed paramsDataQue ...\nclose(paramsDataQue)\nwggg.Wait()\nclose(results2)   // close after all writers are done\n```\n\n### Option 2: Merge both parameter maps before the single worker stage\n\nProcess `p` and `dp` entries through a single shared `paramsQue` and `results`, eliminating the two-stage design:\n\n```go\n// Before the worker loop, merge dp into p (or into a unified queue):\nfor k := range dp {\n    // feed to the same paramsQue along with p entries\n}\n// Then run a single close(paramsQue) \u2192 wgg.Wait() \u2192 close(results)\n```\n\nThis is a more invasive refactor but removes the structural root cause. The current two-stage design is the fundamental source of the ordering bug.\n\n### Option 3: Add a `recover` in processParams goroutines (stopgap only)\n\nCatching the panic prevents the process from crashing but does not fix the lost results or the channel invariant violation. Recommended only as a temporary defensive measure while the channel lifecycle is corrected:\n\n```go\ngo func() {\n    defer func() {\n        if r := recover(); r != nil {\n            printing.DalLog(\"ERROR\", fmt.Sprintf(\"processParams panic recovered: %v\", r), options)\n        }\n        wggg.Done()\n    }()\n    processParams(target, paramsDataQue, results, options, rl, miningCheckerLine, pLog)\n}()\n```\n\nOption 1 is the recommended primary fix. Option 3 should be combined with Option 1, not used as a substitute.\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
  "id": "GHSA-2g4x-fq3j-cgq4",
  "modified": "2026-06-08T20:12:46Z",
  "published": "2026-05-12T15:08:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hahwul/dalfox/security/advisories/GHSA-2g4x-fq3j-cgq4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45090"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hahwul/dalfox"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hahwul/dalfox/releases/tag/v2.13.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)"
}

GHSA-2G83-93G3-QR66

Vulnerability from github – Published: 2022-05-14 01:25 – Updated: 2022-05-14 01:25
VLAI
Details

Race condition in the setreuid system-call implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service via a crafted app.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-1099"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-04-10T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in the setreuid system-call implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service via a crafted app.",
  "id": "GHSA-2g83-93g3-qr66",
  "modified": "2022-05-14T01:25:51Z",
  "published": "2022-05-14T01:25:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1099"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT204659"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT204661"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT204662"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT204870"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2015/Apr/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2015/Apr/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1032048"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2GM7-4G69-R63Q

Vulnerability from github – Published: 2022-10-20 12:00 – Updated: 2022-10-21 19:01
VLAI
Details

A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-20T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability regarding concurrent execution using shared resource with improper synchronization (\u0027Race Condition\u0027) is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.",
  "id": "GHSA-2gm7-4g69-r63q",
  "modified": "2022-10-21T19:01:14Z",
  "published": "2022-10-20T12:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27626"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_22_17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.