VYPR

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

BaseIncompleteLikelihood: Medium

Description

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-27 · CAPEC-29

CVEs mapped to this weakness (249)

page 4 of 13
  • CVE-2026-35352HigApr 22, 2026
    risk 0.46cvss 7.0epss 0.00

    A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO…

  • CVE-2026-41296HigApr 21, 2026
    risk 0.46cvss 8.2epss 0.00

    OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read…

  • CVE-2026-32093HigApr 14, 2026
    risk 0.46cvss 7.0epss 0.01

    Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.

  • CVE-2026-27929HigApr 14, 2026
    risk 0.46cvss 7.0epss 0.00

    Time-of-check time-of-use (toctou) race condition in Windows LUAFV allows an authorized attacker to elevate privileges locally.

  • CVE-2026-0924HigFeb 2, 2026
    risk 0.46cvss 7.0epss 0.00

    BuhoCleaner contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoCleaner: 1.15.2.

  • CVE-2025-23279HigAug 2, 2025
    risk 0.46cvss 7.0epss 0.00

    NVIDIA .run Installer for Linux and Solaris contains a vulnerability where an attacker could use a race condition to escalate privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, denial of service,…

  • CVE-2024-50592HigNov 8, 2024
    risk 0.46cvss 7.0epss 0.00

    An attacker with local access the to medical office computer can escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by exploiting a race condition in the Elefant Update Service during the repair or update process. When using the repair function, the service…

  • CVE-2024-43882HigAug 21, 2024
    risk 0.46cvss 7.0epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer…

  • CVE-2024-26974HigMay 1, 2024
    risk 0.46cvss 7.0epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: crypto: qat - resolve race condition during AER recovery During the PCI AER system's error recovery process, the kernel driver may encounter a race condition with freeing the reset_data structure's memory. If…

  • CVE-2021-33632HigMar 25, 2024
    risk 0.46cvss 7.0epss 0.00

    Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in openEuler iSulad on Linux allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This vulnerability is associated with program files https://gitee.Com/openeuler/iSulad/blob/master/src/cmd/isulad…

  • CVE-2026-54353higJun 22, 2026
    risk 0.45cvss epss 0.00

    Summary Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS…

  • CVE-2025-8192MedJul 31, 2025
    risk 0.45cvss epss 0.00

    There exists a TOCTOU race condition in TvSettings AppRestrictionsFragment.java that lead to start of attacker supplied activity in Settings’ context, i.e. system-uid context, thus lead to launchAnyWhere. The core idea is to utilize the time window between the check of Intent…

  • CVE-2026-43433HigMay 8, 2026
    risk 0.44cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is…

  • CVE-2026-31678HigApr 25, 2026
    risk 0.44cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent…

  • CVE-2026-23554HigMar 23, 2026
    risk 0.44cvss 7.8epss 0.00

    The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the…

  • CVE-2025-9810MedSep 1, 2025
    risk 0.44cvss 6.8epss 0.00

    TOCTOU  in linenoiseHistorySave in linenoise allows local attackers to overwrite arbitrary files and change permissions via a symlink race between fopen("w") on the history path and subsequent chmod() on the same path.

  • CVE-2026-44113HigMay 6, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions…

  • CVE-2025-58131MedSep 9, 2025
    risk 0.43cvss 6.6epss 0.00

    Race condition in the Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon before version 6.4.10 (or before 6.2.15 and 6.3.12 in their respective tracks) may allow an authenticated user to conduct a disclosure of information via network access.

  • CVE-2024-34528HigMay 6, 2024
    risk 0.43cvss 7.7epss 0.00

    WordOps through 3.20.0 has a wo/cli/plugins/stack_pref.py TOCTOU race condition because the conf_path os.open does not use a mode parameter during file creation.

  • CVE-2025-59610MedJun 1, 2026
    risk 0.42cvss 6.4epss 0.00

    Memory Corruption when processing IOCTL requests with mismatched API versions due to concurrent modification of user-space buffer.