目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-362 使用共享资源的并发执行不恰当同步问题(竞争条件) 类漏洞列表 422

CWE-362 使用共享资源的并发执行不恰当同步问题(竞争条件) 类弱点 422 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-362 属于并发执行漏洞,指代码序列在需要独占访问共享资源时,因缺乏同步机制导致存在时间窗口,使其他并发序列能修改该资源。攻击者通常利用此竞态条件,通过精心构造并发请求篡改数据或绕过安全检查,从而引发逻辑错误或权限提升。开发者应避免此类问题,确保对共享资源的访问具备原子性,通过加锁、事务或原子操作等同步机制消除竞争窗口,保障数据一致性。

MITRE CWE 官方描述
CWE:CWE-362 并发执行时使用共享资源且同步不当(竞态条件,Race Condition) 该产品包含一个并发代码序列,该序列需要临时独占访问共享资源,但存在一个时间窗口,在此期间,另一个并发运行的代码序列可以修改该共享资源。 竞态条件发生在并发环境中,它本质上是代码序列的一种属性。根据上下文的不同,代码序列可能表现为函数调用、少量指令、一系列程序调用等形式。竞态条件违反了以下密切相关属性:独占性(Exclusivity)——代码序列被赋予对共享资源的独占访问权限,即在原始序列完成执行之前,没有其他代码序列可以修改共享资源的属性。原子性(Atomicity)——代码序列在行为上是原子的,即没有其他线程或进程可以针对同一资源并发执行相同的指令序列(或其子集)。当“干扰代码序列”(interfering code sequence)仍能访问共享资源时,便存在竞态条件,从而违反了独占性。干扰代码序列可以是“可信的”(trusted)或“不可信的”(untrusted)。可信的干扰代码序列存在于产品内部;攻击者无法对其进行修改,且只能通过间接方式调用。不可信的干扰代码序列可由攻击者直接编写,通常位于易受攻击的产品外部。
常见影响 (4)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion.
AvailabilityDoS: Crash, Exit, or Restart, DoS: Instability
When a race condition allows multiple control flows to access a resource simultaneously, it might lead the product(s) into unexpected states, possibly resulting in a crash.
Confidentiality, IntegrityRead Files or Directories, Read Application Data
When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).
Access ControlExecute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism
This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.
缓解措施 (5)
Architecture and DesignIn languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Architecture and DesignUse thread-safe capabilities such as the data access abstraction in Spring.
Architecture and DesignMinimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring. Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
ImplementationWhen using multithreading and operating on shared variables, only use thread-safe functions.
ImplementationUse atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
代码示例 (2)
This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.
$transfer_amount = GetTransferAmount(); $balance = GetBalanceFromDatabase(); if ($transfer_amount < 0) { FatalError("Bad Transfer Amount"); } $newbalance = $balance - $transfer_amount; if (($balance - $transfer_amount) < 0) { FatalError("Insufficient Funds"); } SendNewBalanceToDatabase($newbalance); NotifyUser("Transfer of $transfer_amount succeeded."); NotifyUser("New balance: $newbalance");
Bad · Perl
In the following pseudocode, the attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account. CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance that handles CALLER-1). CALLER-2 is associated with PROGRAM-2. CALLER-1 makes a transfer request of 80.00. PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to 100.00 PROGRAM-1 calculates $newbalance as 20.00, then calls SendNewBalanceToDatabase(). Due to high server load, the PROGRAM-1 call to SendNewBalanceToDatabase() encounters a delay. CALLER-2 makes a transfer req
Attack · Other
The following function attempts to acquire a lock in order to perform operations on a shared resource.
void f(pthread_mutex_t *mutex) { pthread_mutex_lock(mutex); /* access shared resource */ pthread_mutex_unlock(mutex); }
Bad · C
int f(pthread_mutex_t *mutex) { int result; result = pthread_mutex_lock(mutex); if (0 != result) return result; /* access shared resource */ return pthread_mutex_unlock(mutex); }
Good · C
CVE ID标题CVSS风险等级Published
CVE-2026-7960 Google Chrome<148.0.7778.96 语音竞态条件漏洞 — Chrome--2026-05-06
CVE-2026-7954 Chrome<148.0.7778.96竞态条件漏洞 — Chrome--2026-05-06
CVE-2026-7948 Chrome Race条件漏洞致提权 — Chrome--2026-05-06
CVE-2026-7351 Google Chrome 竞争条件问题漏洞 — Chrome 3.1AILowAI2026-04-28
CVE-2026-41913 OpenClaw 竞争条件问题漏洞 — OpenClaw 3.7 Low2026-04-28
CVE-2026-6921 Google Chrome 竞争条件问题漏洞 — Chrome 7.7AIHighAI2026-04-23
CVE-2026-41458 OwnTone 竞争条件问题漏洞 — owntone-server 5.9AIMediumAI2026-04-22
CVE-2026-40943 oxia 竞争条件问题漏洞 — oxia 5.9AIMediumAI2026-04-21
CVE-2026-33827 Microsoft Windows TCP/IP 竞争条件问题漏洞 — Windows 10 Version 1607 8.1 High2026-04-14
CVE-2026-33104 Microsoft Win32k 资源管理错误漏洞 — Windows 10 Version 1607 7.0 High2026-04-14
CVE-2026-32164 Microsoft Windows 竞争条件问题漏洞 — Windows 10 Version 1607 7.8 High2026-04-14
CVE-2026-32163 Microsoft Windows 资源管理错误漏洞 — Windows 10 Version 1809 7.8 High2026-04-14
CVE-2026-32150 Microsoft Function Discovery Service 竞争条件问题漏洞 — Windows 10 Version 1607 7.0 High2026-04-14
CVE-2026-32091 Microsoft Brokering File System 资源管理错误漏洞 — Windows 10 Version 1607 8.4 High2026-04-14
CVE-2026-32088 Microsoft Windows 竞争条件问题漏洞 — Windows 10 Version 1809 6.1 Medium2026-04-14
CVE-2026-32086 Microsoft Function Discovery Service 竞争条件问题漏洞 — Windows 10 Version 1607 7.0 High2026-04-14
CVE-2026-32068 Microsoft Windows SSDP 竞争条件问题漏洞 — Windows 10 Version 1607 7.0 High2026-04-14
CVE-2026-27911 Microsoft Windows 资源管理错误漏洞 — Windows 10 Version 1607 7.8 High2026-04-14
CVE-2026-26173 Microsoft Windows Ancillary Function Driver for WinSock 代码问题漏洞 — Windows 10 Version 1607 7.0 High2026-04-14
CVE-2026-26172 Microsoft Windows Push Notifications 资源管理错误漏洞 — Windows 10 Version 21H2 7.8 High2026-04-14
CVE-2026-26168 Microsoft Windows Ancillary Function Driver for WinSock 资源管理错误漏洞 — Windows 10 Version 1607 7.8 High2026-04-14
CVE-2026-32226 Microsoft .NET Framework 竞争条件问题漏洞 — Microsoft .NET Framework 3.5 AND 4.7.2 5.9 Medium2026-04-14
CVE-2026-32160 Microsoft Windows Push Notifications 竞争条件问题漏洞 — Windows 10 Version 1809 7.8 High2026-04-14
CVE-2026-32159 Microsoft Windows Push Notifications 资源管理错误漏洞 — Windows 10 Version 1809 7.8 High2026-04-14
CVE-2026-32158 Microsoft Windows Push Notifications 资源管理错误漏洞 — Windows 10 Version 1809 7.8 High2026-04-14
CVE-2026-32090 Microsoft Windows 资源管理错误漏洞 — Windows 10 Version 1607 7.8 High2026-04-14
CVE-2026-32093 Microsoft Function Discovery Service 安全漏洞 — Windows 10 Version 1607 7.0 High2026-04-14
CVE-2026-32083 Microsoft Windows SSDP 竞争条件问题漏洞 — Windows 10 Version 1607 7.0 High2026-04-14
CVE-2026-32082 Microsoft Windows SSDP 竞争条件问题漏洞 — Windows 10 Version 1607 7.0 High2026-04-14
CVE-2026-27927 Microsoft Projected File System 资源管理错误漏洞 — Windows 10 Version 1809 7.8 High2026-04-14

CWE-362(使用共享资源的并发执行不恰当同步问题(竞争条件)) 是常见的弱点类别,本平台收录该类弱点关联的 422 条 CVE 漏洞。