CWE-364
Signal Handler Race Condition
BaseIncompleteLikelihood: Medium
Description
The product uses a signal handler that introduces a race condition.
Hierarchy (View 1000)
CVEs mapped to this weakness (2)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-6409 | Hig | 0.45 | 7.0 | 0.76 | Jul 8, 2024 | A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server. | |
| CVE-1999-0035 | Med | 0.35 | 5.4 | 0.00 | May 29, 1997 | Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. |