Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-366 (单线程内的竞争条件) — Vulnerability Class 14

14 vulnerabilities classified as CWE-366 (单线程内的竞争条件). AI Chinese analysis included.

CWE-366 represents a concurrency weakness where multiple threads access a shared resource simultaneously, leading to undefined execution states. This vulnerability typically arises when developers fail to synchronize access to critical sections, allowing race conditions to occur. Attackers exploit this by manipulating the timing of thread execution to trigger inconsistent states, potentially causing data corruption, privilege escalation, or application crashes. For instance, a thread might read a variable while another is mid-update, resulting in the use of invalid or partially initialized data. To prevent this, developers must implement robust synchronization mechanisms such as mutexes, semaphores, or atomic operations. These tools ensure exclusive access to shared resources during critical operations, thereby maintaining data integrity and preventing the unpredictable behavior inherent in unsynchronized concurrent execution environments.

MITRE CWE Description
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
Common Consequences (1)
Integrity, OtherAlter Execution Logic, Unexpected State
The main problem is that -- if a lock is overcome -- data could be altered in a bad state.
Mitigations (2)
Architecture and DesignUse locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment.
Architecture and DesignCreate resource-locking validation checks. If no inherent locking mechanisms exist, use flags and signals to enforce your own blocking scheme when resources are being used by other threads of execution.
Examples (1)
The following example demonstrates the weakness.
int foo = 0; int storenum(int num) { static int counter = 0; counter++; if (num > foo) foo = num; return foo; }
Bad · C
public classRace { static int foo = 0; public static void main() { new Threader().start(); foo = 1; } public static class Threader extends Thread { public void run() { System.out.println(foo); } } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-3904 GNU C Library 安全漏洞 — glibc 6.8AIMediumAI2026-03-11
CVE-2026-23684 Race condition vulnerability in SAP Commerce Cloud — SAP Commerce Cloud 5.9 Medium2026-02-10
CVE-2026-22819 Outray has a Race Condition in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts — outray 5.9 Medium2026-01-14
CVE-2025-31115 XZ has a heap-use-after-free bug in threaded .xz decoder — xz 7.5AIHighAI2025-04-03
CVE-2024-10630 Ivanti Application Control 安全漏洞 — Application Control Engine 7.8 High2025-01-14
CVE-2024-2032 Race Condition Vulnerability in zenml-io/zenml — zenml-io/zenml 5.9AIMediumAI2024-06-06
CVE-2023-6546 Kernel: gsm multiplexing race condition leads to privilege escalation — Red Hat Enterprise Linux 8 7.0 High2023-12-21
CVE-2023-4732 Kernel: race between task migrating pages and another task calling exit_mmap to release those same pages getting invalid opcode bug in include/linux/swapops.h — Red Hat Enterprise Linux 8 4.7 Medium2023-10-03
CVE-2023-4127 Race Condition within a Thread in answerdev/answer — answerdev/answer 7.5 -2023-08-03
CVE-2023-3218 Race Condition within a Thread in it-novum/openitcockpit — it-novum/openitcockpit 7.5 -2023-06-13
CVE-2015-10067 oznetmaster SSharpSmartThreadPool SmartThreadPool.cs race condition — SSharpSmartThreadPool 4.6 Medium2023-01-18
CVE-2022-1729 Linux kernel 竞争条件问题漏洞 — linux kernel 7.0 -2022-09-01
CVE-2021-26569 Synology DiskStation Manager 竞争条件问题漏洞 — Synology DiskStation Manager (DSM) 9.8 Critical2021-03-12
CVE-2020-1629 Junos OS: A race condition vulnerability may cause RPD daemon to crash when processing a BGP NOTIFICATION message. — Junos OS 5.9 Medium2020-04-08

Vulnerabilities classified as CWE-366 (单线程内的竞争条件) represent 14 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.