Skip to main content

CWE-362

Race Condition

1767 CVEs Avg CVSS 6.3 MITRE
34
CRITICAL
799
HIGH
856
MEDIUM
77
LOW
185
POC
10
KEV

Monthly

CVE-2026-62294 MEDIUM PATCH This Month

Flameshot's 'Open With' feature prior to version 14.0.0 contains a TOCTOU (time-of-check to time-of-use) symlink-following race condition that allows a local unprivileged attacker on the same machine to overwrite arbitrary files writable by the victim user. By pre-planting a symlink at the predictable temporary file path before Flameshot writes the screenshot PNG, an attacker can redirect the write operation to any file within the victim's permissions - including configuration files, SSH keys, or application data. No public exploit identified at time of analysis, though the attack is straightforward given the deterministic path; the vendor-confirmed fix is available in v14.0.0.

Race Condition Information Disclosure Flameshot
NVD GitHub
CVSS 4.0
5.1
CVE-2026-50013 Go HIGH PATCH GHSA This Week

Denial of service in Hoverfly's Diff mode (versions ≤ 1.12.7) lets any client with proxy access crash the entire process by sending concurrent requests. The `AddDiff()` function writes to the shared `responsesDiff` map without a mutex, so simultaneous proxy requests - the normal case for a proxy - trigger Go's built-in concurrent-map detector, producing an unrecoverable `fatal error: concurrent map read and map write` that kills the process. Publicly available exploit code exists (a working POC is embedded in the GitHub advisory), though there is no public exploit identified as actively used in the wild and no KEV listing.

Apple Denial Of Service Race Condition
NVD GitHub
CVSS 3.1
7.5
CVE-2026-58628 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Wireless Networking component affects a broad span of currently supported Windows releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025), letting an already-authenticated local user win a timing race to gain SYSTEM-level control. The flaw is a CWE-362 race condition where improperly synchronized access to a shared resource can be manipulated during a narrow execution window; CVSS 7.8 reflects a high-complexity but high-impact local escalation with a scope change. Microsoft (the reporter) has shipped a patch, and there is no public exploit identified at time of analysis.

Microsoft Race Condition Information Disclosure Windows 10 Version 1809 Windows 10 Version 21H2 +9
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-58543 MEDIUM PATCH Exploit Unlikely This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.

Microsoft Race Condition Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 +3
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-58531 HIGH PATCH Exploit Likely This Week

Elevation of privilege in the Windows SMB implementation allows an authenticated network attacker to win a race condition and gain higher privileges on affected systems, spanning Windows 10, Windows 11, and Windows Server 2012 through 2025. The flaw is a concurrency defect (CWE-362) reported by Microsoft with a vendor patch already released; there is no public exploit identified at time of analysis. Note a data conflict: the description and CVSS impacts describe privilege elevation with full confidentiality/integrity/availability impact, while the intelligence tags also label it 'Information Disclosure' — the CVSS vector should be treated as authoritative.

Microsoft Race Condition Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-58527 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Runtime (WinRT) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2022/2025, where a race condition in shared-resource handling lets an already-authenticated local user win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and the CVSS base score is 7.8 (High). Note that Microsoft's tags label this as Information Disclosure while the description and CVSS impact metrics describe full privilege elevation - this discrepancy should be verified against the vendor advisory.

Microsoft Race Condition Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 +4
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-56649 MEDIUM PATCH This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.

Authentication Bypass Microsoft Race Condition Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2026-56188 CRITICAL PATCH NEWS Exploit Likely Act Now

Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthorized attacker execute arbitrary code across a wide range of Microsoft Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with full confidentiality, integrity, and availability impact, and an 'Authentication Bypass' tag suggests the flaw can also subvert access controls. There is no public exploit identified at time of analysis and no CISA KEV listing, but the network-facing, pre-authentication nature makes it a high-priority patch.

Authentication Bypass Microsoft Race Condition Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2026-54125 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Runtime (WinRT) across Windows 10, Windows 11, and Windows Server 2019 through 2025 allows an already-authenticated attacker to win a race condition and gain SYSTEM-level privileges. The flaw stems from concurrent access to a shared resource without proper synchronization, and full C:H/I:H/A:H impact indicates complete host compromise once triggered. Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Microsoft Race Condition Information Disclosure Windows 10 Version 1809 Windows 10 Version 21H2 +9
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-50676 HIGH PATCH This Week

Local privilege escalation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated local attacker to win a race condition and gain SYSTEM-level privileges. Rated CVSS 7.8 (High), the flaw stems from improper synchronization of a shared resource; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has released a patch via the MSRC update guide.

Microsoft Race Condition Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 +1
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVSS 5.1
MEDIUM PATCH This Month

Flameshot's 'Open With' feature prior to version 14.0.0 contains a TOCTOU (time-of-check to time-of-use) symlink-following race condition that allows a local unprivileged attacker on the same machine to overwrite arbitrary files writable by the victim user. By pre-planting a symlink at the predictable temporary file path before Flameshot writes the screenshot PNG, an attacker can redirect the write operation to any file within the victim's permissions - including configuration files, SSH keys, or application data. No public exploit identified at time of analysis, though the attack is straightforward given the deterministic path; the vendor-confirmed fix is available in v14.0.0.

Race Condition Information Disclosure Flameshot
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Denial of service in Hoverfly's Diff mode (versions ≤ 1.12.7) lets any client with proxy access crash the entire process by sending concurrent requests. The `AddDiff()` function writes to the shared `responsesDiff` map without a mutex, so simultaneous proxy requests - the normal case for a proxy - trigger Go's built-in concurrent-map detector, producing an unrecoverable `fatal error: concurrent map read and map write` that kills the process. Publicly available exploit code exists (a working POC is embedded in the GitHub advisory), though there is no public exploit identified as actively used in the wild and no KEV listing.

Apple Denial Of Service Race Condition
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Wireless Networking component affects a broad span of currently supported Windows releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025), letting an already-authenticated local user win a timing race to gain SYSTEM-level control. The flaw is a CWE-362 race condition where improperly synchronized access to a shared resource can be manipulated during a narrow execution window; CVSS 7.8 reflects a high-complexity but high-impact local escalation with a scope change. Microsoft (the reporter) has shipped a patch, and there is no public exploit identified at time of analysis.

Microsoft Race Condition Information Disclosure +11
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH Exploit Unlikely This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.

Microsoft Race Condition Information Disclosure +5
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Likely This Week

Elevation of privilege in the Windows SMB implementation allows an authenticated network attacker to win a race condition and gain higher privileges on affected systems, spanning Windows 10, Windows 11, and Windows Server 2012 through 2025. The flaw is a concurrency defect (CWE-362) reported by Microsoft with a vendor patch already released; there is no public exploit identified at time of analysis. Note a data conflict: the description and CVSS impacts describe privilege elevation with full confidentiality/integrity/availability impact, while the intelligence tags also label it 'Information Disclosure' — the CVSS vector should be treated as authoritative.

Microsoft Race Condition Information Disclosure +18
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Runtime (WinRT) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2022/2025, where a race condition in shared-resource handling lets an already-authenticated local user win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and the CVSS base score is 7.8 (High). Note that Microsoft's tags label this as Information Disclosure while the description and CVSS impact metrics describe full privilege elevation - this discrepancy should be verified against the vendor advisory.

Microsoft Race Condition Information Disclosure +6
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.

Authentication Bypass Microsoft Race Condition +18
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Exploit Likely Act Now

Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthorized attacker execute arbitrary code across a wide range of Microsoft Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with full confidentiality, integrity, and availability impact, and an 'Authentication Bypass' tag suggests the flaw can also subvert access controls. There is no public exploit identified at time of analysis and no CISA KEV listing, but the network-facing, pre-authentication nature makes it a high-priority patch.

Authentication Bypass Microsoft Race Condition +18
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Runtime (WinRT) across Windows 10, Windows 11, and Windows Server 2019 through 2025 allows an already-authenticated attacker to win a race condition and gain SYSTEM-level privileges. The flaw stems from concurrent access to a shared resource without proper synchronization, and full C:H/I:H/A:H impact indicates complete host compromise once triggered. Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Microsoft Race Condition Information Disclosure +11
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated local attacker to win a race condition and gain SYSTEM-level privileges. Rated CVSS 7.8 (High), the flaw stems from improper synchronization of a shared resource; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has released a patch via the MSRC update guide.

Microsoft Race Condition Information Disclosure +3
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy