Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-413 (资源加锁不恰当) — Vulnerability Class 11

11 vulnerabilities classified as CWE-413 (资源加锁不恰当). AI Chinese analysis included.

CWE-413 represents a concurrency weakness where a software product fails to acquire or maintain exclusive access to a shared resource during critical operations. This flaw typically arises when developers neglect to implement proper synchronization mechanisms, such as mutexes or semaphores, around code sections that modify or read shared data. Attackers exploit this vulnerability by triggering race conditions, allowing them to interleave malicious operations with legitimate processes. By modifying the resource while it is being processed, the attacker violates the application’s assumptions about data integrity, potentially leading to unexpected behaviors, data corruption, or denial of service. To prevent this, developers must rigorously implement locking protocols that ensure atomicity and consistency. This involves identifying all shared resources and applying appropriate locks to guarantee that only one thread can access the resource at a time, thereby eliminating the window for concurrent exploitation.

MITRE CWE Description
The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the product. This might violate the product's assumption that the resource will not change, potentially leading to unexpected behaviors.
Common Consequences (1)
Integrity, AvailabilityModify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart
Mitigations (2)
Architecture and DesignUse a non-conflicting privilege scheme.
Architecture and Design, ImplementationUse synchronization when locking a resource.
Examples (2)
The following function attempts to acquire a lock in order to perform operations on a shared resource.
void f(pthread_mutex_t *mutex) { pthread_mutex_lock(mutex); /* access shared resource */ pthread_mutex_unlock(mutex); }
Bad · C
int f(pthread_mutex_t *mutex) { int result; result = pthread_mutex_lock(mutex); if (0 != result) return result; /* access shared resource */ return pthread_mutex_unlock(mutex); }
Good · C
This Java example shows a simple BankAccount class with deposit and withdraw methods.
public class BankAccount { // variable for bank account balance private double accountBalance; // constructor for BankAccount public BankAccount() { accountBalance = 0; } // method to deposit amount into BankAccount public void deposit(double depositAmount) { double newBalance = accountBalance + depositAmount; accountBalance = newBalance; } // method to withdraw amount from BankAccount public void withdraw(double withdrawAmount) { double newBalance = accountBalance - withdrawAmount; accountBalance = newBalance; } // other methods for accessing the BankAccount object ... }
Bad · Java
public class BankAccount { ... // synchronized method to deposit amount into BankAccount public synchronized void deposit(double depositAmount) { ... } // synchronized method to withdraw amount from BankAccount public synchronized void withdraw(double withdrawAmount) { ... } ... }
Good · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-32748 Squid has Denial of Service in ICP Response handling — squid 7.5 -2026-03-26
CVE-2025-0003 AMD Xilinx Run Time 安全漏洞 — Xilinx Run Time (XRT) 7.3 High2025-11-24
CVE-2025-3450 Automation Runtime SDM requests may impact system — Automation Runtime 10.0 Critical2025-10-07
CVE-2023-32253 Kernel: deadlock in ksmbd_find_crypto_ctx() 5.9 Medium2025-08-02
CVE-2022-49737 X.Org X Server 安全漏洞 — X server 7.7 High2025-03-16
CVE-2023-33951 Kernel: vmwgfx: race condition leading to information disclosure vulnerability — Red Hat Enterprise Linux 8 6.7 Medium2023-07-24
CVE-2023-2430 Linux kernel 安全漏洞 — kernel 5.5 -2023-07-23
CVE-2023-28649 Snap One OvrC Cloud 输入验证错误漏洞 — OvrC Cloud 8.6 High2023-05-22
CVE-2023-2269 Linux kernel 安全漏洞 — Kernel 5.5 -2023-04-25
CVE-2022-20678 Cisco IOS XE Software AppNav-XE Denial of Service Vulnerability — Cisco IOS XE Software 8.6 High2022-04-15
CVE-2019-17102 Bitdefender BOX v2 bootstrap update_setup command execution vulnerability (VA-2226) — Bitdefender BOX 2 8.3 High2020-01-27

Vulnerabilities classified as CWE-413 (资源加锁不恰当) represent 11 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.