VYPR

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

ClassDraftLikelihood: Medium

Description

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-26 · CAPEC-29

CVEs mapped to this weakness (1,091)

page 17 of 55
  • CVE-2026-23410HigApr 1, 2026
    risk 0.44cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata…

  • CVE-2026-23393HigMar 25, 2026
    risk 0.44cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context…

  • CVE-2026-23271HigMar 20, 2026
    risk 0.44cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up…

  • CVE-2025-37088MedApr 22, 2025
    risk 0.44cvss 6.8epss 0.00

    A security vulnerability has been identified in HPE Cray Data Virtualization Service (DVS). Depending on race conditions and configuration, this vulnerability may lead to local/cluster unauthorized access.

  • CVE-2018-12691MedJul 5, 2018
    risk 0.44cvss 6.8epss 0.01

    Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection.

  • CVE-2015-5191MedJul 28, 2017
    risk 0.44cvss 6.7epss 0.00

    VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

  • CVE-2014-9914HigFeb 7, 2017
    risk 0.44cvss 7.8epss 0.00

    Race condition in the ip4_datagram_release_cb function in net/ipv4/datagram.c in the Linux kernel before 3.15.2 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect expectations about locking during multithreaded access to…

  • CVE-2016-1267MedApr 15, 2016
    risk 0.44cvss 6.7epss 0.00

    Race condition in the RPC functionality in Juniper Junos OS before 12.1X44-D55, 12.1X46 before 12.1X46-D40, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R11, 12.3X48 before 12.3X48-D20, 13.2 before 13.2R8, 13.2X51 before 13.2X51-D39, 13.3 before 13.3R7, 14.1 before 14.1R6,…

  • CVE-2026-33544HigApr 2, 2026
    risk 0.43cvss 7.7epss 0.00

    Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared…

  • CVE-2024-34528HigMay 6, 2024
    risk 0.43cvss 7.7epss 0.00

    WordOps through 3.20.0 has a wo/cli/plugins/stack_pref.py TOCTOU race condition because the conf_path os.open does not use a mode parameter during file creation.

  • CVE-2016-8745HigAug 10, 2017
    risk 0.43cvss 7.5epss 0.16

    A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple…

  • CVE-2026-48708HigJun 15, 2026
    risk 0.42cvss 7.5epss 0.00

    OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action…

  • CVE-2026-45090HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first…

  • CVE-2026-42594HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool.…

  • CVE-2026-28379MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

  • CVE-2026-23440HigApr 3, 2026
    risk 0.42cvss 7.5epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the…

  • CVE-2026-33028HigMar 30, 2026
    risk 0.42cvss 7.5epss 0.01

    Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe…

  • CVE-2026-32398MedMar 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Subrata Mal TeraWallet – For WooCommerce woo-wallet allows Leveraging Race Conditions.This issue affects TeraWallet – For WooCommerce: from n/a through <= 1.5.15.

  • CVE-2025-13231MedDec 16, 2025
    risk 0.42cvss 6.5epss 0.00

    The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The…

  • CVE-2025-61792MedSep 30, 2025
    risk 0.42cvss 6.4epss 0.00

    Quadient DS-700 iQ devices through 2025-09-30 might have a race condition during the quick clicking of (in order) the Question Mark button, the Help Button, the About button, and the Help Button, leading to a transition out of kiosk mode into local administrative access. NOTE:…