Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-662 (不恰当的同步机制) — Vulnerability Class 3

3 vulnerabilities classified as CWE-662 (不恰当的同步机制). AI Chinese analysis included.

CWE-662 represents a critical concurrency weakness where software fails to properly coordinate access to shared resources among multiple threads or processes. This lack of synchronization allows simultaneous, unsanctioned access to data structures or memory locations that require exclusive control, leading to unpredictable system behavior. Attackers typically exploit this vulnerability by triggering race conditions, manipulating timing to cause data corruption, privilege escalation, or denial of service. By reading or writing inconsistent states, adversaries can bypass security checks or crash the application. Developers mitigate this risk by implementing robust synchronization mechanisms, such as mutexes, semaphores, or atomic operations, to ensure that only one thread accesses the critical section at a time. Rigorous code reviews and static analysis tools further help identify these concurrency flaws before deployment, ensuring data integrity and system stability in multi-threaded environments.

MITRE CWE Description
The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. Synchronization refers to a variety of behaviors and mechanisms that allow two or more independently-operating processes or threads to ensure that they operate on shared resources in predictable ways that do not interfere with each other. Some shared resource operations cannot be executed atomically; that is, multiple steps must be guaranteed to execute sequentially, without any interference by other processes. Synchronization mechanisms vary widely, but they may include locking, mutexes, and semaphores. When a multi-step operation on a shared resource cannot be guaranteed to execute independent of interference, then the resulting behavior can be unpredictable. Improper synchronization could lead to data or memory corruption, denial of service, etc.
Common Consequences (1)
Integrity, Confidentiality, OtherModify Application Data, Read Application Data, Alter Execution Logic
Mitigations (1)
ImplementationUse industry standard APIs to synchronize your code.
Examples (2)
The following function attempts to acquire a lock in order to perform operations on a shared resource.
void f(pthread_mutex_t *mutex) { pthread_mutex_lock(mutex); /* access shared resource */ pthread_mutex_unlock(mutex); }
Bad · C
int f(pthread_mutex_t *mutex) { int result; result = pthread_mutex_lock(mutex); if (0 != result) return result; /* access shared resource */ return pthread_mutex_unlock(mutex); }
Good · C
The following code intends to fork a process, then have both the parent and child processes print a single line.
static void print (char * string) { char * word; int counter; for (word = string; counter = *word++; ) { putc(counter, stdout); fflush(stdout); /* Make timing window a little larger... */ sleep(1); } } int main(void) { pid_t pid; pid = fork(); if (pid == -1) { exit(-2); } else if (pid == 0) { print("child\n"); } else { print("PARENT\n"); } exit(0); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-27104 double eval in For List Iter in Vyper — vyper 8.8 -2025-02-21
CVE-2024-7409 Qemu: denial of service via improper synchronization in qemu nbd server during socket closure 7.5AIHighAI2024-08-05
CVE-2024-32644 Evmos' transaction execution not accounting for all state transition after interaction with precompiles — evmos 9.1 Critical2024-04-19

Vulnerabilities classified as CWE-662 (不恰当的同步机制) represent 3 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.