Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-667 (加锁机制不恰当) — Vulnerability Class 31

31 vulnerabilities classified as CWE-667 (加锁机制不恰当). AI Chinese analysis included.

CWE-667 represents a synchronization weakness where software fails to properly acquire or release locks on shared resources, resulting in unpredictable state changes and potential data corruption. This flaw typically arises when concurrent threads or processes access critical sections without adhering to consistent locking protocols, allowing race conditions to occur. Attackers exploit these vulnerabilities by triggering simultaneous operations that bypass expected serialization, potentially leading to denial of service, privilege escalation, or integrity violations as the system enters an inconsistent state. Developers mitigate this risk by implementing rigorous locking strategies, ensuring that all code paths acquire and release locks symmetrically. Utilizing language-specific synchronization primitives, such as mutexes or semaphores, and conducting thorough concurrency testing helps guarantee that shared resources remain protected against interference, thereby maintaining application stability and security during high-concurrency scenarios.

MITRE CWE Description
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. Locking is a type of synchronization behavior that ensures that multiple independently-operating processes or threads do not interfere with each other when accessing the same resource. All processes/threads are expected to follow the same steps for locking. If these steps are not followed precisely - or if no locking is done at all - then another process/thread could modify the shared resource in a way that is not visible or predictable to the original process. This can lead to data or memory corruption, denial of service, etc.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU)
Inconsistent locking discipline can lead to deadlock.
Mitigations (1)
ImplementationUse industry standard APIs to implement locking mechanism.
Examples (2)
In the following Java snippet, methods are defined to get and set a long field in an instance of a class that is shared across multiple threads. Because operations on double and long are nonatomic in Java, concurrent access may cause unexpected behavior. Thus, all operations on long and double fields should be synchronized.
private long someLongValue; public long getLongValue() { return someLongValue; } public void setLongValue(long l) { someLongValue = l; }
Bad · Java
This code tries to obtain a lock for a file, then writes to it.
function writeToLog($message){ $logfile = fopen("logFile.log", "a"); //attempt to get logfile lock if (flock($logfile, LOCK_EX)) { fwrite($logfile,$message); // unlock logfile flock($logfile, LOCK_UN); } else { print "Could not obtain lock on logFile.log, message not recorded\n"; } } fclose($logFile);
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-20065 Multiple Cisco Products Snort 3 TBD Denial of Service Vulnerability — Cisco Secure Firewall Threat Defense (FTD) Software 5.8 Medium2026-03-04
CVE-2026-20757 Gallagher Command Centre Server 安全漏洞 — Command Centre Server 2.5 Low2026-03-03
CVE-2026-21914 Junos OS: SRX Series: A specifically malformed GTP message will cause an FPC crash — Junos OS 7.5 High2026-01-15
CVE-2025-34467 ZwiiCMS < 13.7.00 Lock Persistence Authenticated DoS Against Administrative Pages — ZwiiCMS 6.5 -2025-12-31
CVE-2025-14345 Cross-Shard Failovers May Lead to Partial Transaction Commit in MongoDB Server — MongoDB Server 4.2 Medium2025-12-09
CVE-2025-10151 Malicious TCP/IP thread locking leads into diverse malfunctions — smartLink HW-PN 9.1AICriticalAI2025-10-28
CVE-2025-58153 BIG-IP HSB vulnerability — BIG-IP 5.9 Medium2025-10-15
CVE-2025-1221 DoS in Zigbee device due to heavy traffic — Zigbee 7.5AIHighAI2025-07-30
CVE-2025-49178 Xorg-x11-server-xwayland: xorg-x11-server: tigervnc: unprocessed client request due to bytes to ignore — xwayland 5.5 Medium2025-06-17
CVE-2021-22530 Improper account management vulnerability in NetIQ Advance Authentication — NetIQ Advance Authentication 8.2 High2024-08-28
CVE-2024-32648 vyper default functions don't respect nonreentrancy keys — vyper 5.3 Medium2024-04-25
CVE-2023-44119 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.2 -2023-10-11
CVE-2023-3750 Libvirt: improper locking in virstoragepoolobjlistsearch may lead to denial of service — Red Hat Enterprise Linux 9 6.5 Medium2023-07-24
CVE-2023-2612 shiftfs lock unbalance in Ubuntu-specific kernels — ubuntu-linux 4.4 Medium2023-05-30
CVE-2023-22412 Junos OS: MX Series and SRX Series: The flow processing daemon (flowd) will crash if the SIP ALG is enabled and specific SIP messages are processed — Junos OS 7.5 High2023-01-12
CVE-2022-3996 X.509 Policy Constraints Double Locking — OpenSSL 7.5 -2022-12-13
CVE-2022-4129 Linux kernel 安全漏洞 — Linux kernel (l2tp) 4.7 -2022-11-28
CVE-2022-3303 Linux kernel 安全漏洞 — Linux kernel 4.7 -2022-09-27
CVE-2022-3028 Linux kernel 缓冲区错误漏洞 — Linux kernel 7.0 -2022-08-31
CVE-2021-3735 QEMU 安全漏洞 — QEMU 4.4 -2022-08-26
CVE-2022-2959 Linux kernel 安全漏洞 — kernel 7.0 -2022-08-25
CVE-2022-0897 Red Hat libvirt 安全漏洞 — libvirt 7.1 -2022-03-25
CVE-2021-4147 Red Hat libvirt 安全漏洞 — libvirt 5.5 -2022-03-25
CVE-2021-4149 Linux kernel 竞争条件问题漏洞 — kernel 5.5 -2022-03-23
CVE-2021-3667 Red Hat libvirt 安全漏洞 — libvirt 6.5 -2022-03-02
CVE-2021-20315 Red Hat CentOS Stream 安全漏洞 — gnome-shell 6.1 -2022-02-18
CVE-2022-22175 Junos OS: MX Series and SRX Series: The flowd daemon will crash if the SIP ALG is enabled and specific SIP messages are processed — Junos OS 7.5 High2022-01-19
CVE-2021-41141 Missing release of locks in PJSIP — pjproject 5.9 Medium2022-01-04
CVE-2021-41213 Deadlock in mutually recursive `tf.function` objects — tensorflow 5.5 Medium2021-11-05
CVE-2021-20291 Red Hat Ceph Storage 安全漏洞 — containers/storage 6.5 -2021-04-01

Vulnerabilities classified as CWE-667 (加锁机制不恰当) represent 31 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.