CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
常见后果
影响范围: Availability
技术影响: DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other)
说明: When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart DoS: Instability
说明: When a race condition allows multiple control flows to access a resource simultaneously, it might lead the product(s) into unexpected states, possibly resulting in a crash.
影响范围: Confidentiality Integrity
技术影响: Read Files or Directories Read Application Data
说明: When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).
影响范围: Access Control
技术影响: Execute Unauthorized Code or Commands Gain Privileges or Assume Identity Bypass Protection Mechanism
说明: This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.
潜在缓解措施
阶段: Architecture and Design
描述: In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
阶段: Architecture and Design
描述: Use thread-safe capabilities such as the data access abstraction in Spring.
阶段: Architecture and Design
阶段: Implementation
描述: When using multithreading and operating on shared variables, only use thread-safe functions.
阶段: Implementation
描述: Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
阶段: Implementation
描述: Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
阶段: Implementation
描述: Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
阶段: Implementation
描述: Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
阶段: Implementation
描述: Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
阶段: Architecture and Design Operation
策略: Environment Hardening
描述: Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
检测方法
方法: Black Box
Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.
方法: White Box
Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).
方法: Automated Dynamic Analysis
有效性: Moderate
方法: Automated Static Analysis - Binary or Bytecode
有效性: High
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: High
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2022-29527
Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition.
参考: CVE-2021-1782
Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV.
参考: CVE-2021-0920
Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
参考: CVE-2020-6819
Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
参考: CVE-2019-18827
chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys
参考: CVE-2019-1161
Chain: race condition (CWE-362) in anti-malware product allows deletion of files by creating a junction (CWE-1386) and using hard links during the time window in which a temporary file is created and deleted.
参考: CVE-2015-1743
TOCTOU in sandbox process allows installation of untrusted browser add-ons by replacing a file after it has been verified, but before it is executed
参考: CVE-2014-8273
Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237].
参考: CVE-2008-5044
Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time.
参考: CVE-2008-2958
chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
参考: CVE-2008-1570
chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
参考: CVE-2008-0058
Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object.
参考: CVE-2008-0379
Race condition during initialization triggers a buffer overflow.
参考: CVE-2007-6599
Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock.
参考: CVE-2007-6180
chain: race condition triggers NULL pointer dereference
参考: CVE-2007-5794
Race condition in library function could cause data to be sent to the wrong process.
参考: CVE-2007-3970
Race condition in file parser leads to heap corruption.
参考: CVE-2008-5021
chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory.
参考: CVE-2009-4895
chain: race condition for an argument value, possibly resulting in NULL dereference
参考: CVE-2009-3547
chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
参考: CVE-2006-5051
Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | Programmers may assume that certain code sequences execute too quickly to be affected by an interfering code sequence; when they are not, this violates atomicity. For example, the single "x++" statement may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read (the original value of x), followed by a computation (x+1), followed by a write (save the result to x). |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Race Conditions | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | VNA03-J | Do not assume that a group of calls to independently atomic methods is atomic | - |
关键信息
CWE ID: CWE-362
抽象级别: Class
结构: Simple
状态: Draft
利用可能性: Medium