CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
BaseIncompleteLikelihood: Medium
Description
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-27 · CAPEC-29
CVEs mapped to this weakness (142)
page 2 of 8| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-26522 | Hig | 0.51 | 7.8 | 0.01 | May 8, 2026 | The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3. | |
| CVE-2026-7791 | Hig | 0.51 | 7.8 | 0.00 | May 4, 2026 | Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM. | |
| CVE-2025-47407 | Hig | 0.51 | 7.8 | 0.00 | May 4, 2026 | Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level. | |
| CVE-2026-31678 | Hig | 0.51 | 7.8 | 0.00 | Apr 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL. | |
| CVE-2026-23554 | Hig | 0.51 | 7.8 | 0.00 | Mar 23, 2026 | The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions. | |
| CVE-2026-27750 | Hig | 0.51 | 7.8 | 0.00 | Mar 5, 2026 | Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This may result in deletion of protected files or directories and can lead to local privilege escalation, denial of service, or system integrity compromise depending on the affected target. | |
| CVE-2025-20074 | Hig | 0.51 | 7.8 | 0.00 | Aug 12, 2025 | Time-of-check Time-of-use race condition for some Intel(R) Connectivity Performance Suite software installers before version 40.24.11210 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2024-13961 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |
| CVE-2024-13960 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in TuneUp Service in AVG TuneUp Version 23.4 (build 15592) on Windows 10 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |
| CVE-2024-13944 | Hig | 0.51 | 7.8 | 0.00 | May 9, 2025 | Link Following Local Privilege Escalation Vulnerability in NortonUtilitiesSvc in Norton Utilities Ultimate Version 24.2.16862.6344 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via the creation of a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack. | |
| CVE-2024-48394 | Hig | 0.51 | 7.8 | 0.00 | Feb 5, 2025 | A Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the driver of the NDD Print solution, which could allow an unprivileged user to exploit this flaw and gain SYSTEM-level access on the device. The vulnerability affects version 5.24.3 and before of the software. | |
| CVE-2017-0756 | Hig | 0.51 | 7.8 | 0.00 | Sep 8, 2017 | A remote code execution vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-34621073. | |
| CVE-2017-0331 | Hig | 0.51 | 7.8 | 0.00 | May 2, 2017 | An elevation of privilege vulnerability in the NVIDIA video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel 3.10. Android ID: A-34113000. References: N-CVE-2017-0331. | |
| CVE-2026-30332 | Hig | 0.49 | 7.5 | 0.00 | Apr 2, 2026 | A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process. | |
| CVE-2026-32988 | Hig | 0.49 | 7.5 | 0.00 | Mar 31, 2026 | OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes outside the intended validated path before the final guarded replace step executes. | |
| CVE-2025-20082 | Hig | 0.49 | 7.5 | 0.00 | May 13, 2025 | Time-of-check time-of-use race condition in the UEFI firmware SmiVariable driver for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to enable escalation of privilege via local access. | |
| CVE-2024-41917 | Hig | 0.49 | 7.5 | 0.00 | Feb 12, 2025 | Time-of-check time-of-use race condition for some Intel(R) Battery Life Diagnostic Tool software before version 2.4.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2024-5803 | Hig | 0.49 | 7.5 | 0.00 | Oct 3, 2024 | The AVGUI.exe of AVG/Avast Antivirus before versions before 24.1 can allow a local attacker to escalate privileges via an COM hijack in a time-of-check to time-of-use (TOCTOU) when self protection is disabled. | |
| CVE-2024-39894 | Hig | 0.49 | 7.5 | 0.03 | Jul 2, 2024 | OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur. | |
| CVE-2026-34354 | Hig | 0.48 | 7.4 | 0.00 | May 8, 2026 | Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the HandleSaveLogs() function of the GPA service, by creating a log file and manipulating it into a symlink that points to the targeted path; this can allow an unprivileged local user to make arbitrary root-owned files world-writable. In addition, a diagnostic collection tool (gimmelogs) running with root privileges was vulnerable to command injection from the dbstore, offering a second privilege escalation vector. (On Windows, gimmelogs does not have command injection but does allow writing a ZIP archive to an unintended location.) This affects Akamai Guardicore Platform Agent 7.0 through 7.3.1 and Akamai Zero Trust Client 6.0 through 6.1.5. |