CWE-820
AllowedMissing Synchronization
Abstraction: Base · Status: Incomplete
The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
29 vulnerabilities reference this CWE, most recent first.
GHSA-HCGQ-VPP8-J6Q4
Vulnerability from github – Published: 2025-03-25 15:31 – Updated: 2025-03-25 15:31A vulnerability exists in RTU IEC 61850 client and server functionality that could impact the availability if renegotiation of an open IEC61850 TLS connection takes place in specific timing situations, when IEC61850 communication is active.
Precondition is that IEC61850 as client or server are configured using TLS on RTU500 device. It affects the CMU the IEC61850 stack is configured on.
{
"affected": [],
"aliases": [
"CVE-2025-1445"
],
"database_specific": {
"cwe_ids": [
"CWE-820"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-25T13:15:40Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in RTU IEC 61850 client and server functionality that could impact the availability if renegotiation of an open IEC61850 TLS connection takes place in specific timing situations, when IEC61850 communication is active.\n\nPrecondition is that IEC61850 as client or server are configured using TLS on RTU500 device. It affects the CMU the IEC61850 stack is configured on.",
"id": "GHSA-hcgq-vpp8-j6q4",
"modified": "2025-03-25T15:31:29Z",
"published": "2025-03-25T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1445"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000207\u0026languageCode=en\u0026Preview=true"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M379-7MFM-WQR6
Vulnerability from github – Published: 2025-09-08 15:37 – Updated: 2025-10-17 21:31The on-endpoint Microsoft vulnerable driver blocklist is not fully synchronized with the online Microsoft recommended driver block rules. Some entries present on the online list have been excluded from the on-endpoint blocklist longer than the expected periodic monthly Windows updates. It is possible to fully synchronize the driver blocklist using WDAC policies. NOTE: The vendor explains that Windows Update provides a smaller, compatibility-focused driver blocklist for general users, while the full XML list is available for advanced users and organizations to customize at the risk of usability issues.
{
"affected": [],
"aliases": [
"CVE-2022-50238"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-820"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-08T15:15:32Z",
"severity": "HIGH"
},
"details": "The on-endpoint Microsoft vulnerable driver blocklist is not fully synchronized with the online Microsoft recommended driver block rules. Some entries present on the online list have been excluded from the on-endpoint blocklist longer than the expected periodic monthly Windows updates. It is possible to fully synchronize the driver blocklist using WDAC policies. NOTE: The vendor explains that Windows Update provides a smaller, compatibility-focused driver blocklist for general users, while the full XML list is available for advanced users and organizations to customize at the risk of usability issues.",
"id": "GHSA-m379-7mfm-wqr6",
"modified": "2025-10-17T21:31:17Z",
"published": "2025-09-08T15:37:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50238"
},
{
"type": "WEB",
"url": "https://github.com/wdormann/applywdac"
},
{
"type": "WEB",
"url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PPCC-7HRX-R7PF
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Missing synchronization in Windows Hyper-V allows an authorized attacker to deny service over an adjacent network.
{
"affected": [],
"aliases": [
"CVE-2025-49751"
],
"database_specific": {
"cwe_ids": [
"CWE-820"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T18:15:30Z",
"severity": "MODERATE"
},
"details": "Missing synchronization in Windows Hyper-V allows an authorized attacker to deny service over an adjacent network.",
"id": "GHSA-ppcc-7hrx-r7pf",
"modified": "2025-08-12T18:31:30Z",
"published": "2025-08-12T18:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49751"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49751"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRH4-P6V4-MRFG
Vulnerability from github – Published: 2026-07-14 18:03 – Updated: 2026-07-14 18:03Summary:
When Hoverfly is running in Diff mode, the AddDiff() function writes to the shared responsesDiff map without any synchronization (no mutex). When multiple proxy requests are processed concurrently (the normal case for any proxy), the concurrent map writes trigger Go's built-in race detector which causes a fatal error: concurrent map read and map write, immediately killing the entire Hoverfly process. This is trivially exploitable by sending multiple simultaneous requests.
Details:
1. Unsynchronized map access in AddDiff() (core/hoverfly_service.go:417-421):
func (hf *Hoverfly) AddDiff(requestView v2.SimpleRequestDefinitionView, diffReport v2.DiffReport) {
if len(diffReport.DiffEntries) > 0 {
diffs := hf.responsesDiff[requestView] // UNSYNCHRONIZED READ
hf.responsesDiff[requestView] = append(diffs, diffReport) // UNSYNCHRONIZED WRITE
}
}
2. This function is called from Diff mode processing, which runs concurrently per request (core/modes/diff_mode.go):
Each incoming proxy request is handled in its own goroutine by Go's net/http server. In Diff mode, each request calls AddDiff() after comparing the simulated and actual responses. With multiple concurrent requests, multiple goroutines write to the same map simultaneously.
3. Go's runtime detects concurrent map access and terminates the process:
Unlike data races on simple values (which produce undefined behavior silently), Go's map implementation includes a built-in concurrent access check. When two goroutines access the same map and at least one is writing, the runtime calls fatal() which is unrecoverable, it cannot be caught by recover().
4. No mutex protection exists on responsesDiff:
The field is declared as a plain map[v2.SimpleRequestDefinitionView][]v2.DiffReport with no associated sync.RWMutex. Compare with hf.state which properly uses sync.RWMutex for its map access.
Environment:
- Hoverfly version: v1.12.7
- Operating System: macOS Darwin 25.4.0
- Go version: 1.26.2
- Configuration: Hoverfly in Diff mode (
PUT /api/v2/hoverfly/mode {"mode":"diff"})
POC:
Step 1: Start Hoverfly and set Diff mode
./hoverfly &
sleep 2
# Set diff mode
curl -X PUT http://localhost:8888/api/v2/hoverfly/mode \
-H "Content-Type: application/json" \
-d '{"mode": "diff"}'
# Load a simulation for diff comparison
curl -X PUT http://localhost:8888/api/v2/simulation \
-H "Content-Type: application/json" \
-d '{
"data": {
"pairs": [{
"request": {"path": [{"matcher": "glob", "value": "*"}]},
"response": {"status": 200, "body": "expected"}
}],
"globalActions": {"delays": [], "delaysLogNormal": []}
},
"meta": {"schemaVersion": "v5.2"}
}'
Step 2: Send concurrent requests to trigger the race
# Send 50 concurrent requests, race condition triggers within seconds
for i in $(seq 1 50); do
curl -s -x http://localhost:8500 "http://httpbin.org/get?id=$i" &
done
wait
Step 3: Observe the crash
# Check if process is still running
pgrep -f hoverfly
crash output on Hoverfly v1.12.7:
fatal error: concurrent map read and map write
goroutine 892 [running]:
github.com/SpectoLabs/hoverfly/core.(*Hoverfly).AddDiff(...)
/core/hoverfly_service.go:419
github.com/SpectoLabs/hoverfly/core/modes.(*DiffMode).Process(...)
The process crashes with ~50 concurrent requests. In production with real traffic, it crashes almost immediately.
Impact:
- Full denial of service: The process terminates immediately and cannot be recovered without a restart
- Trivial exploitation: Any attacker with proxy access can trigger this by sending multiple concurrent requests
- No admin API access required: Only proxy port access is needed to trigger the crash
- Unrecoverable:
fatal errorin Go cannot be caught byrecover()— the process is unconditionally killed - Affects all Diff mode users: Any team using Diff mode for API comparison testing is vulnerable
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/SpectoLabs/hoverfly"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50013"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-820"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T18:03:10Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary:\n\nWhen Hoverfly is running in Diff mode, the `AddDiff()` function writes to the shared `responsesDiff` map without any synchronization (no mutex). When multiple proxy requests are processed concurrently (the normal case for any proxy), the concurrent map writes trigger Go\u0027s built-in race detector which causes a `fatal error: concurrent map read and map write`, immediately killing the entire Hoverfly process. This is trivially exploitable by sending multiple simultaneous requests.\n\n### Details:\n\n**1. Unsynchronized map access in `AddDiff()` (`core/hoverfly_service.go:417-421`):**\n\n```go\nfunc (hf *Hoverfly) AddDiff(requestView v2.SimpleRequestDefinitionView, diffReport v2.DiffReport) {\n if len(diffReport.DiffEntries) \u003e 0 {\n diffs := hf.responsesDiff[requestView] // UNSYNCHRONIZED READ\n hf.responsesDiff[requestView] = append(diffs, diffReport) // UNSYNCHRONIZED WRITE\n }\n}\n```\n\n**2. This function is called from Diff mode processing, which runs concurrently per request (`core/modes/diff_mode.go`):**\n\nEach incoming proxy request is handled in its own goroutine by Go\u0027s `net/http` server. In Diff mode, each request calls `AddDiff()` after comparing the simulated and actual responses. With multiple concurrent requests, multiple goroutines write to the same map simultaneously.\n\n**3. Go\u0027s runtime detects concurrent map access and terminates the process:**\n\nUnlike data races on simple values (which produce undefined behavior silently), Go\u0027s map implementation includes a built-in concurrent access check. When two goroutines access the same map and at least one is writing, the runtime calls `fatal()` which is unrecoverable, it cannot be caught by `recover()`.\n\n**4. No mutex protection exists on `responsesDiff`:**\n\nThe field is declared as a plain `map[v2.SimpleRequestDefinitionView][]v2.DiffReport` with no associated `sync.RWMutex`. Compare with `hf.state` which properly uses `sync.RWMutex` for its map access.\n\n### Environment:\n\n- **Hoverfly version:** v1.12.7\n- **Operating System:** macOS Darwin 25.4.0\n- **Go version:** 1.26.2\n- **Configuration:** Hoverfly in Diff mode (`PUT /api/v2/hoverfly/mode {\"mode\":\"diff\"}`)\n\n### POC:\n\n**Step 1: Start Hoverfly and set Diff mode**\n\n```bash\n./hoverfly \u0026\nsleep 2\n\n# Set diff mode\ncurl -X PUT http://localhost:8888/api/v2/hoverfly/mode \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"mode\": \"diff\"}\u0027\n\n# Load a simulation for diff comparison\ncurl -X PUT http://localhost:8888/api/v2/simulation \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"data\": {\n \"pairs\": [{\n \"request\": {\"path\": [{\"matcher\": \"glob\", \"value\": \"*\"}]},\n \"response\": {\"status\": 200, \"body\": \"expected\"}\n }],\n \"globalActions\": {\"delays\": [], \"delaysLogNormal\": []}\n },\n \"meta\": {\"schemaVersion\": \"v5.2\"}\n }\u0027\n```\n\n**Step 2: Send concurrent requests to trigger the race**\n\n```bash\n# Send 50 concurrent requests, race condition triggers within seconds\nfor i in $(seq 1 50); do\n curl -s -x http://localhost:8500 \"http://httpbin.org/get?id=$i\" \u0026\ndone\nwait\n```\n\n**Step 3: Observe the crash**\n\n```bash\n# Check if process is still running\npgrep -f hoverfly\n```\n\n**crash output on Hoverfly v1.12.7:**\n\n```\nfatal error: concurrent map read and map write\n\ngoroutine 892 [running]:\ngithub.com/SpectoLabs/hoverfly/core.(*Hoverfly).AddDiff(...)\n /core/hoverfly_service.go:419\ngithub.com/SpectoLabs/hoverfly/core/modes.(*DiffMode).Process(...)\n```\n\nThe process crashes with ~50 concurrent requests. In production with real traffic, it crashes almost immediately.\n\n### Impact:\n\n- **Full denial of service:** The process terminates immediately and cannot be recovered without a restart\n- **Trivial exploitation:** Any attacker with proxy access can trigger this by sending multiple concurrent requests\n- **No admin API access required:** Only proxy port access is needed to trigger the crash\n- **Unrecoverable:** `fatal error` in Go cannot be caught by `recover()` \u2014 the process is unconditionally killed\n- **Affects all Diff mode users:** Any team using Diff mode for API comparison testing is vulnerable",
"id": "GHSA-qrh4-p6v4-mrfg",
"modified": "2026-07-14T18:03:10Z",
"published": "2026-07-14T18:03:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-qrh4-p6v4-mrfg"
},
{
"type": "WEB",
"url": "https://github.com/SpectoLabs/hoverfly/pull/1227"
},
{
"type": "PACKAGE",
"url": "https://github.com/SpectoLabs/hoverfly"
},
{
"type": "WEB",
"url": "https://github.com/SpectoLabs/hoverfly/releases/tag/v1.12.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode"
}
GHSA-VWX4-FRPR-W27J
Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2022-12-01 22:11Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.convertigo.jenkins.plugins:convertigo-mobile-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25210"
],
"database_specific": {
"cwe_ids": [
"CWE-662",
"CWE-820"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-24T17:41:42Z",
"nvd_published_at": "2022-02-15T17:15:00Z",
"severity": "LOW"
},
"details": "Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured.",
"id": "GHSA-vwx4-frpr-w27j",
"modified": "2022-12-01T22:11:12Z",
"published": "2022-02-16T00:01:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25210"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/convertigo-mobile-platform-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2280"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Synchronization in Jenkins Convertigo Mobile Platform Plugin"
}
GHSA-X2W4-C67P-G44J
Vulnerability from github – Published: 2023-06-06 21:30 – Updated: 2025-02-13 18:56Grafana is an open-source platform for monitoring and observability.
Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.
The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.
This might enable malicious users to crash Grafana instances through that endpoint.
Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2801"
],
"database_specific": {
"cwe_ids": [
"CWE-662",
"CWE-820"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-07T15:08:08Z",
"nvd_published_at": "2023-06-06T19:15:11Z",
"severity": "HIGH"
},
"details": "Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it\u0027s also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.",
"id": "GHSA-x2w4-c67p-g44j",
"modified": "2025-02-13T18:56:29Z",
"published": "2023-06-06T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-2801"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230706-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Grafana Missing Synchronization vulnerability"
}
GHSA-X4MQ-M75F-MX8M
Vulnerability from github – Published: 2022-06-17 00:30 – Updated: 2022-07-05 21:26Affected versions of this crate did not require event handlers to have Send bound despite there being no guarantee of them being called on any particular thread, which can potentially lead to data races and undefined behavior.
The flaw was corrected in commit afe3252 by adding Send bounds.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "windows"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.2"
},
{
"fixed": "0.32.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-820"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T00:30:33Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Affected versions of this crate did not require event handlers to have `Send` bound despite there being no guarantee of them being called on any particular thread, which can potentially lead to data races and undefined behavior.\n\nThe flaw was corrected in commit [afe3252](https://github.com/microsoft/windows-rs/commit/afe32525c22209aa8f632a0f4ad607863b51796a) by adding `Send` bounds.",
"id": "GHSA-x4mq-m75f-mx8m",
"modified": "2022-07-05T21:26:36Z",
"published": "2022-06-17T00:30:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/microsoft/windows-rs/issues/1409"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/windows-rs/commit/afe32525c22209aa8f632a0f4ad607863b51796a"
},
{
"type": "PACKAGE",
"url": "https://github.com/microsoft/windows-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Delegate functions are missing `Send` bound"
}
GHSA-X5G3-HX3C-GFXX
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
mm/list_lru: drain before clearing xarray entry on reparent
memcg_reparent_list_lrus() clears the dying memcg's xarray entry with xas_store(&xas, NULL) before reparenting its per-node lists into the parent. This opens a window where a concurrent list_lru_del() arriving for the dying memcg sees xa_load() == NULL, walks to the parent in lock_list_lru_of_memcg(), takes the parent's per-node lock, and calls list_del_init() on an item still physically linked on the dying memcg's list.
If another in-flight thread holds the dying memcg's per-node lock at the same moment (another list_lru_del, or a list_lru_walk_one running an isolate callback), both threads modify ->next/->prev pointers on the same physical list under different locks. Adjacent items can corrupt each other's links.
Fix it by reversing the order: reparent each per-node list and mark the child's list lru dead and then clear the xarray entry. Any concurrent list_lru op that finds the still-set xarray entry either takes the dying memcg's per-node lock (synchronizing with the drain) or sees LONG_MIN and walks to the parent, where the items now live.
{
"affected": [],
"aliases": [
"CVE-2026-53153"
],
"database_specific": {
"cwe_ids": [
"CWE-820"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:32Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/list_lru: drain before clearing xarray entry on reparent\n\nmemcg_reparent_list_lrus() clears the dying memcg\u0027s xarray entry with\nxas_store(\u0026xas, NULL) before reparenting its per-node lists into the\nparent. This opens a window where a concurrent list_lru_del() arriving\nfor the dying memcg sees xa_load() == NULL, walks to the parent in\nlock_list_lru_of_memcg(), takes the parent\u0027s per-node lock, and calls\nlist_del_init() on an item still physically linked on the dying memcg\u0027s\nlist.\n\nIf another in-flight thread holds the dying memcg\u0027s per-node lock at the\nsame moment (another list_lru_del, or a list_lru_walk_one running an\nisolate callback), both threads modify -\u003enext/-\u003eprev pointers on the same\nphysical list under different locks. Adjacent items can corrupt each\nother\u0027s links.\n\nFix it by reversing the order: reparent each per-node list and mark the\nchild\u0027s list lru dead and then clear the xarray entry. Any concurrent\nlist_lru op that finds the still-set xarray entry either takes the dying\nmemcg\u0027s per-node lock (synchronizing with the drain) or sees LONG_MIN and\nwalks to the parent, where the items now live.",
"id": "GHSA-x5g3-hx3c-gfxx",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-25T09:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53153"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53153"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492790"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2b66496d794e98f7aeec7688573051f22ec40bac"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98733f3f0becb1ae0701d021c1748e974e5fa55c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c19ff4351214f059349788e13e70e74325831ff6"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53153.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X7GH-CPMX-X9CJ
Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 00:31A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS).
When the reachability of an sFlow collector changes, the corresponding next-hop entry is updated. If this update occurs simultaneously with the sFlow thread accessing the next-hop data (which is outside the attackers control), it causes the evo-pfemand process to crash, impacting all traffic forwarding until the automatic process restart has completed.
This issue affects Junos OS Evolved on QFX Series:
- all 23.2 versions,
- 23.4 versions before 23.4R2-S7-EVO,
- 24.2 versions before 24.2R2-S5-EVO,
- 24.4 versions before 24.4R2-S3-EVO,
- 25.2 versions before 25.2R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2026-57029"
],
"database_specific": {
"cwe_ids": [
"CWE-820"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T22:17:08Z",
"severity": "MODERATE"
},
"details": "A\u00a0Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS).\n\n\nWhen the reachability of an sFlow collector changes, the corresponding next-hop entry is updated.\u00a0If this update occurs simultaneously with the sFlow thread accessing the next-hop data (which is outside the attackers control), it causes the evo-pfemand process to crash, impacting all traffic forwarding until the automatic process restart has completed.\n\n\n\n\nThis issue affects Junos OS Evolved on QFX Series:\n\n\n * all 23.2 versions,\u00a0\n * 23.4 versions before 23.4R2-S7-EVO,\n * 24.2 versions before 24.2R2-S5-EVO,\n * 24.4 versions before 24.4R2-S3-EVO,\n * 25.2 versions before 25.2R2-EVO.",
"id": "GHSA-x7gh-cpmx-x9cj",
"modified": "2026-07-10T00:31:27Z",
"published": "2026-07-10T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57029"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA110089"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.