Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-270 (特权上下文切换错误) — Vulnerability Class 23

23 vulnerabilities classified as CWE-270 (特权上下文切换错误). AI Chinese analysis included.

CWE-270 represents a privilege context switching error, a critical weakness where software fails to properly manage access rights during transitions between distinct operational contexts. This flaw typically arises when an application moves between high-privilege and low-privilege states without correctly resetting or verifying permissions, allowing attackers to exploit the temporary lapse in security controls. By manipulating the timing or sequence of these context switches, malicious actors can execute unauthorized actions or access sensitive data that should remain restricted. To mitigate this risk, developers must implement rigorous privilege management protocols, ensuring that permissions are explicitly validated and adjusted at every context boundary. Utilizing principle of least privilege, enforcing strict state transitions, and conducting thorough code reviews for context-switching logic are essential strategies to prevent such vulnerabilities from being exploited in production environments.

MITRE CWE Description
The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
A user can assume the identity of another user with separate privileges in another context. This will give the user unauthorized access that may allow them to acquire the access information of other users.
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CVE IDTitleCVSSSeverityPublished
CVE-2026-34853 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.7 High2026-04-13
CVE-2025-55210 FreePBX API has a Privilege Escalation Error in GraphQL Allowing Authenticated Users to Access Additional Scopes — api 8.8AIHighAI2026-02-12
CVE-2025-60721 Windows Administrator Protection Elevation of Privilege Vulnerability — Windows 11 Version 24H2 7.8 High2025-11-11
CVE-2025-9408 Userspace privilege escalation vulnerability on Cortex M — Zephyr 8.2 High2025-11-11
CVE-2025-26499 Wind River Studio Developer 安全漏洞 — Wind River Studio Developer 6.0 Medium2025-09-11
CVE-2025-46406 Gallagher Command Centre Server 安全漏洞 — Command Centre Server 5.6 Medium2025-07-10
CVE-2025-49583 XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right — xwiki-platform 4.6AIMediumAI2025-06-13
CVE-2024-46975 GPU DDK - rgxfw_write_robustness_buffer allows arbitrary catreg set mapping — Graphics DDK 7.8 -2025-02-22
CVE-2024-12570 Privilege Context Switching Error in GitLab — GitLab 6.7 Medium2024-12-12
CVE-2024-11263 arch: riscv: userspace: potential security risk when CONFIG_RISCV_GP=y — Zephyr 9.4 Critical2024-11-15
CVE-2024-36513 Fortinet FortiClient 安全漏洞 — FortiClientWindows 7.4 High2024-11-12
CVE-2024-51987 HTTP Client uses incorrect token after refresh in Duende.AccessTokenManagement.OpenIdConnect — Duende.AccessTokenManagement 5.4 Medium2024-11-07
CVE-2024-47173 Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups — ai-admin-graphql 5.5 Medium2024-10-24
CVE-2024-8641 Privilege Context Switching Error in GitLab — GitLab 6.7 Medium2024-09-12
CVE-2024-37294 Aimeos denial of service vulnerability in SaaS and marketplace setups — aimeos-core 5.5 Medium2024-06-11
CVE-2023-37912 XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro — xwiki-rendering 10.0 Critical2023-10-25
CVE-2023-25754 Apache Airflow: Privilege escalation using airflow logs — Apache Airflow 7.5 -2023-05-08
CVE-2023-26475 XWiki Platform vulnerable to Remote Code Execution in Annotations — xwiki-platform 10.0 Critical2023-03-02
CVE-2020-1719 Red Hat Wildfly 安全漏洞 — Wildfly 7.1 -2021-06-07
CVE-2021-3493 Linux kernel 安全漏洞 — linux kernel 8.8 High2021-04-17
CVE-2020-7020 Elasticsearch 安全漏洞 — Elasticsearch 3.1 -2020-10-22
CVE-2020-7019 Elasticsearch 安全漏洞 — Elasticsearch 6.5 -2020-08-18
CVE-2017-2663 Red Hat Candlepin subscription-manager 权限许可和访问控制漏洞 — subscription-manager 7.8 -2018-07-27

Vulnerabilities classified as CWE-270 (特权上下文切换错误) represent 23 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.