CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
Description
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-27 · CAPEC-29
CVEs mapped to this weakness (249)
page 10 of 13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-8562 | Low | 0.14 | 2.2 | 0.01 | Feb 1, 2022 | As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation… | ||
| CVE-2025-52532 | — | Low | 0.13 | — | 0.00 | May 15, 2026 | A race condition in the MxGPU-Virtualization driver’s ioctl path caused by concurrent unsynchronized access to the global variable amdgv_cmd in an unlocked ioctl handler could be exploited by an attacker to trigger a heap-based buffer overflow, potentially resulting in… | |
| CVE-2022-23826 | — | Low | 0.12 | — | 0.00 | May 15, 2026 | A TOCTOU (Time-Of-Check to Time-Of-Use) in the graphics interface may allow an attacker to load registers repeatedly creating a race condition potentially leading to a loss of integrity. | |
| CVE-2026-43529 | Low | 0.09 | 2.5 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between… | ||
| CVE-2026-35202 | Low | 0.08 | — | 0.00 | Jun 2, 2026 | Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the… | ||
| CVE-2024-32482 | Low | 0.07 | 2.2 | 0.00 | Apr 23, 2024 | The Tillitis TKey signer device application is an ed25519 signing tool. A vulnerability has been found that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client… | ||
| CVE-2004-0594 | 0.07 | — | 0.55 | Jul 27, 2004 | The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function… | |||
| CVE-2024-0132 | 0.03 | — | 0.36 | Sep 26, 2024 | NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A… | |||
| CVE-2024-56337 | — | 0.01 | — | 0.09 | Dec 20, 2024 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but… | ||
| CVE-2015-1743 | 0.01 | — | 0.14 | Jun 10, 2015 | Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-1748. | |||
| CVE-2003-0813 | 0.01 | — | 0.15 | Nov 17, 2003 | A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it… | |||
| CVE-2026-54777 | 0.00 | — | — | Jun 19, 2026 | ### Impact CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be… | |||
| CVE-2026-54327 | low | 0.00 | — | 0.00 | Jun 17, 2026 | # Pi auth.json writes could briefly expose stored credentials to local users Pi stored API keys and OAuth credentials in `auth.json`. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before… | ||
| CVE-2026-32979 | 0.00 | — | 0.00 | Mar 29, 2026 | OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution… | |||
| CVE-2026-33624 | 0.00 | — | 0.00 | Mar 24, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times… | |||
| CVE-2026-32043 | 0.00 | — | 0.00 | Mar 21, 2026 | OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and… | |||
| CVE-2026-31997 | 0.00 | — | 0.00 | Mar 19, 2026 | OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator… | |||
| CVE-2026-32943 | 0.00 | — | 0.00 | Mar 18, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated… | |||
| CVE-2026-27545 | 0.00 | — | 0.00 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker… | |||
| CVE-2026-22181 | 0.00 | — | 0.00 | Mar 18, 2026 | OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present,… |
- risk 0.14cvss 2.2epss 0.01
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation…
- risk 0.13cvss —epss 0.00
A race condition in the MxGPU-Virtualization driver’s ioctl path caused by concurrent unsynchronized access to the global variable amdgv_cmd in an unlocked ioctl handler could be exploited by an attacker to trigger a heap-based buffer overflow, potentially resulting in…
- risk 0.12cvss —epss 0.00
A TOCTOU (Time-Of-Check to Time-Of-Use) in the graphics interface may allow an attacker to load registers repeatedly creating a race condition potentially leading to a loss of integrity.
- risk 0.09cvss 2.5epss 0.00
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between…
- risk 0.08cvss —epss 0.00
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the…
- risk 0.07cvss 2.2epss 0.00
The Tillitis TKey signer device application is an ed25519 signing tool. A vulnerability has been found that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client…
- CVE-2004-0594Jul 27, 2004risk 0.07cvss —epss 0.55
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function…
- CVE-2024-0132Sep 26, 2024risk 0.03cvss —epss 0.36
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A…
- CVE-2024-56337Dec 20, 2024risk 0.01cvss —epss 0.09
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but…
- CVE-2015-1743Jun 10, 2015risk 0.01cvss —epss 0.14
Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-1748.
- CVE-2003-0813Nov 17, 2003risk 0.01cvss —epss 0.15
A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it…
- CVE-2026-54777Jun 19, 2026risk 0.00cvss —epss —
### Impact CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be…
- risk 0.00cvss —epss 0.00
# Pi auth.json writes could briefly expose stored credentials to local users Pi stored API keys and OAuth credentials in `auth.json`. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before…
- CVE-2026-32979Mar 29, 2026risk 0.00cvss —epss 0.00
OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution…
- CVE-2026-33624Mar 24, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times…
- CVE-2026-32043Mar 21, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and…
- CVE-2026-31997Mar 19, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator…
- CVE-2026-32943Mar 18, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated…
- CVE-2026-27545Mar 18, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker…
- CVE-2026-22181Mar 18, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present,…