VYPR

CWE-667

Improper Locking

ClassDraft

Description

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-25 · CAPEC-26 · CAPEC-27

CVEs mapped to this weakness (147)

page 1 of 8
  • CVE-2025-43510HigKEVDec 12, 2025
    risk 0.63cvss 7.8epss 0.00

    A memory corruption issue was addressed with improved lock state checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A malicious application…

  • CVE-2018-0228HigApr 19, 2018
    risk 0.56cvss 8.6epss 0.04

    A vulnerability in the ingress flow creation functionality of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the CPU to increase upwards of 100% utilization, causing a denial of service (DoS) condition on an affected system. The…

  • CVE-2010-4210HigNov 22, 2010
    risk 0.54cvss 7.8epss 0.01

    The pfs_getextattr function in FreeBSD 7.x before 7.3-RELEASE and 8.x before 8.0-RC1 unlocks a mutex that was not previously locked, which allows local users to cause a denial of service (kernel panic), overwrite arbitrary memory locations, and possibly execute arbitrary code…

  • CVE-2002-1850HigDec 31, 2002
    risk 0.53cvss 7.5epss 0.17

    mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI…

  • CVE-2026-23103HigFeb 4, 2026
    risk 0.51cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so…

  • CVE-2024-26934HigMay 1, 2024
    risk 0.51cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix deadlock in usb_deauthorize_interface() Among the attribute file callback routines in drivers/usb/core/sysfs.c, the interface_authorized_store() function is the only one which acquires a device…

  • CVE-2002-0051HigApr 4, 2002
    risk 0.51cvss 7.8epss 0.01

    Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access.

  • CVE-2026-43215HigMay 6, 2026
    risk 0.50cvss 8.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifs_tcp_ses_lock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srv_lock, ses_lock and tc_lock to…

  • CVE-2026-31629HigApr 24, 2026
    risk 0.50cvss 8.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put()…

  • CVE-2009-4272HigJan 27, 2010
    risk 0.50cvss 7.5epss 0.11

    A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing…

  • CVE-2022-24946HigJun 15, 2022
    risk 0.49cvss 7.5epss 0.02

    Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC iQ-R Series R12CCPU-V firmware versions "16" and prior, Mitsubishi Electric MELSEC-Q Series Q03UDECPU the first 5 digits of serial No. "24061" and prior, Mitsubishi Electric MELSEC-Q Series…

  • CVE-2006-5158HigOct 5, 2006
    risk 0.49cvss 7.5epss 0.03

    The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock.

  • CVE-2006-2275HigMay 9, 2006
    risk 0.49cvss 7.5epss 0.03

    Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."

  • CVE-2025-10151HigOct 28, 2025
    risk 0.47cvss epss 0.00

    Improper locking vulnerability in Softing Industrial Automation GmbH gateways allows infected memory and/or resource leak exposure.This issue affects smartLink HW-PN: from 1.02 through 1.03 smartLink HW-DP: 1.31

  • CVE-2024-58087HigMar 12, 2025
    risk 0.46cvss 8.1epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix racy issue from session lookup and expire Increment the session reference count within the lock for lookup to avoid racy issue with session expire.

  • CVE-2026-43211HigMay 6, 2026
    risk 0.44cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_slot_trylock() error handling Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but…

  • CVE-2026-31667HigApr 24, 2026
    risk 0.44cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing…

  • CVE-2018-15390MedOct 5, 2018
    risk 0.44cvss 6.8epss 0.01

    A vulnerability in the FTP inspection engine of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected…

  • CVE-2009-2699HigOct 13, 2009
    risk 0.43cvss 7.5epss 0.14

    The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a…

  • CVE-2004-0174HigMay 4, 2004
    risk 0.43cvss 7.5epss 0.12

    Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."