VYPR

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

ClassDraftLikelihood: Medium

Description

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-26 · CAPEC-29

CVEs mapped to this weakness (1,091)

page 21 of 55
  • CVE-2018-17972MedOct 3, 2018
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack…

  • CVE-2017-5427MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    A non-existent chrome.manifest file will attempt to be loaded during startup from the primary installation directory. If a malicious user with local access puts chrome.manifest and other referenced files in this directory, they will be loaded and activated during startup. This…

  • CVE-2017-15038MedOct 10, 2017
    risk 0.36cvss 5.6epss 0.00

    Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.

  • CVE-2017-14483MedSep 15, 2017
    risk 0.36cvss 5.5epss 0.00

    flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 for Celery Flower sets PID file ownership to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root…

  • CVE-2017-14317MedSep 12, 2017
    risk 0.36cvss 5.6epss 0.00

    A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) in Xen through 4.9.x. When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on…

  • CVE-2017-5986MedFeb 18, 2017
    risk 0.36cvss 5.5epss 0.01

    Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.

  • CVE-2016-7916MedNov 16, 2016
    risk 0.36cvss 5.5epss 0.00

    Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is…

  • CVE-2016-1807MedMay 20, 2016
    risk 0.36cvss 5.1epss 0.01

    Race condition in the Disk Images subsystem in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows local users to obtain sensitive information from kernel memory via unspecified vectors.

  • CVE-2026-44318MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via…

  • CVE-2026-4635MedMay 22, 2026
    risk 0.35cvss 6.5epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message…

  • CVE-2026-26206MedApr 29, 2026
    risk 0.35cvss 6.5epss 0.00

    Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication…

  • CVE-2026-5774MedApr 10, 2026
    risk 0.35cvss 6.4epss 0.00

    Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

  • CVE-2017-7543MedJul 26, 2018
    risk 0.35cvss 5.3epss 0.02

    A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0:…

  • CVE-2018-5236MedJun 20, 2018
    risk 0.35cvss 5.3epss 0.01

    Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 may be susceptible to a race condition (or race hazard). This type of issue occurs in software where the output is dependent on the sequence or timing of other uncontrollable events.

  • CVE-2017-5061MedOct 27, 2017
    risk 0.35cvss 5.3epss 0.01

    A race condition in navigation in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

  • CVE-2017-14748MedSep 26, 2017
    risk 0.35cvss 5.3epss 0.01

    Race condition in Blizzard Overwatch 1.15.0.2 allows remote authenticated users to cause a denial of service (season bans and SR losses for other users) by leaving a competitive match at a specific time during the initial loading of that match.

  • CVE-2016-3106MedApr 13, 2017
    risk 0.35cvss 5.3epss 0.01

    Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner.

  • CVE-2016-9962MedJan 31, 2017
    risk 0.35cvss 6.4epss 0.00

    RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to…

  • CVE-2016-4247MedJul 13, 2016
    risk 0.35cvss 5.3epss 0.03

    Race condition in Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux allows attackers to obtain sensitive information via unspecified vectors.

  • CVE-2016-1670MedMay 14, 2016
    risk 0.35cvss 5.3epss 0.01

    Race condition in the ResourceDispatcherHostImpl::BeginRequest function in content/browser/loader/resource_dispatcher_host_impl.cc in Google Chrome before 50.0.2661.102 allows remote attackers to make arbitrary HTTP requests by leveraging access to a renderer process and reusing…