Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-667 (加锁机制不恰当) — Vulnerability Class 31

31 vulnerabilities classified as CWE-667 (加锁机制不恰当). AI Chinese analysis included.

CWE-667 represents a synchronization weakness where software fails to properly acquire or release locks on shared resources, resulting in unpredictable state changes and potential data corruption. This flaw typically arises when concurrent threads or processes access critical sections without adhering to consistent locking protocols, allowing race conditions to occur. Attackers exploit these vulnerabilities by triggering simultaneous operations that bypass expected serialization, potentially leading to denial of service, privilege escalation, or integrity violations as the system enters an inconsistent state. Developers mitigate this risk by implementing rigorous locking strategies, ensuring that all code paths acquire and release locks symmetrically. Utilizing language-specific synchronization primitives, such as mutexes or semaphores, and conducting thorough concurrency testing helps guarantee that shared resources remain protected against interference, thereby maintaining application stability and security during high-concurrency scenarios.

MITRE CWE Description
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. Locking is a type of synchronization behavior that ensures that multiple independently-operating processes or threads do not interfere with each other when accessing the same resource. All processes/threads are expected to follow the same steps for locking. If these steps are not followed precisely - or if no locking is done at all - then another process/thread could modify the shared resource in a way that is not visible or predictable to the original process. This can lead to data or memory corruption, denial of service, etc.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU)
Inconsistent locking discipline can lead to deadlock.
Mitigations (1)
ImplementationUse industry standard APIs to implement locking mechanism.
Examples (2)
In the following Java snippet, methods are defined to get and set a long field in an instance of a class that is shared across multiple threads. Because operations on double and long are nonatomic in Java, concurrent access may cause unexpected behavior. Thus, all operations on long and double fields should be synchronized.
private long someLongValue; public long getLongValue() { return someLongValue; } public void setLongValue(long l) { someLongValue = l; }
Bad · Java
This code tries to obtain a lock for a file, then writes to it.
function writeToLog($message){ $logfile = fopen("logFile.log", "a"); //attempt to get logfile lock if (flock($logfile, LOCK_EX)) { fwrite($logfile,$message); // unlock logfile flock($logfile, LOCK_UN); } else { print "Could not obtain lock on logFile.log, message not recorded\n"; } } fclose($logFile);
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2019-3901 编号重复 — kernel 4.7AIMediumAI2019-04-22

Vulnerabilities classified as CWE-667 (加锁机制不恰当) represent 31 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.