Skip to main content

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

512 CVEs Avg CVSS 6.5 MITRE
14
CRITICAL
253
HIGH
196
MEDIUM
45
LOW
59
POC
4
KEV

Monthly

CVE-2026-48344 HIGH This Week

Local privilege escalation to arbitrary code execution affects the Adobe Creative Cloud Desktop application through a Time-of-check Time-of-use (TOCTOU) race condition, letting a low-privileged local attacker execute code and - because the CVSS scope is changed - impact resources beyond the initial security context. No user interaction is required, but the race is hard to win: exploitation depends on conditions beyond the attacker's control, reflected in the high attack complexity. At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

RCE Creative Cloud Desktop
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-4018 MEDIUM This Month

TOCTOU Race Condition in specific trace commands of the TraceEvent() system call could allow an attacker with local access and with the PROCMGR_AID_TRACE ability, to cause information disclosure, data tampering or a crash of the QNX Neutrino kernel.

Information Disclosure Qnx Software Development Platform Qnx Os For Safety Qnx Os For Medical
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-57973 MEDIUM PATCH Exploit Unlikely This Month

Time-of-check time-of-use (toctou) race condition in Windows Subsystem for Linux allows an authorized attacker to perform tampering locally.

Microsoft Information Disclosure Windows Subsystem For Linux Wsl2
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-56648 HIGH PATCH This Week

Elevation of privilege in the Windows Network File System (NFS) component affects a broad range of Microsoft platforms - Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025 - where an authorized attacker can win a time-of-check/time-of-use (TOCTOU) race condition over the network to gain higher privileges. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but high-complexity flaw requiring low-level existing privileges, with full high impact to confidentiality, integrity and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a Microsoft (MSRC) patch is available.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-56178 MEDIUM PATCH Exploit Unlikely This Month

Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.

Microsoft Information Disclosure Microsoft Defender For Endpoint For Mac
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-50658 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Defender for Endpoint for macOS lets an authenticated local attacker exploit a time-of-check-to-time-of-use race to gain elevated privileges. The flaw (CWE-367) requires winning a timing window between when Defender validates a resource and when it acts on it, yielding high confidentiality, integrity, and availability impact. Microsoft has published a fix, and there is no public exploit identified at time of analysis.

Microsoft Information Disclosure Microsoft Defender For Endpoint For Mac
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-45203 HIGH This Week

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets a malicious kernel driver inside a Host VM issue improper commands to the GPU firmware, causing a memory write outside the host kernel's permitted range. The flaw is a TOCTOU race in which values are altered in memory after the firmware validates them but before it uses them, bypassing the firmware's range enforcement. No public exploit identified at time of analysis, EPSS is low (0.12%, 2nd percentile), and it is not listed in CISA KEV.

Information Disclosure Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-56676 HIGH PATCH This Week

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-proxy user to reach internal-only HTTP services. The image-URL validation resolves the host once to a public IP, but open-sse/translator/concerns/image.js performs the actual server-side fetch with a separate DNS lookup, so an attacker-controlled name can rebind to an internal address between the two resolutions. No public exploit identified at time of analysis; the flaw is fixed in 0.5.2.

Information Disclosure 9Router
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-58198 PyPI MEDIUM PATCH This Month

Symlink-based extraction redirect in ChatterBot prior to 1.2.14 enables a local attacker with standard user privileges to cause training corpus archive contents to be written to an attacker-controlled directory by pre-planting a symlink at the predictable path ~/ubuntu_data/ubuntu_dialogs before UbuntuCorpusTrainer.extract() runs. The check-then-create pattern preceding tar.extractall() creates a CWE-367 TOCTOU window that, on shared multi-user systems, allows the attacker to intercept the extraction target without any race if the symlink is planted before the first training run. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 1.2.14.

Information Disclosure Chatterbot
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-58151 CRITICAL Act Now

Guest-to-host privilege escalation in varstored, the Xapi (XenServer/XCP-ng/Citrix Hypervisor) toolstack daemon that services UEFI variable requests for VMs, allows a malicious guest to corrupt control flow in the host-side process. Missing compiler barriers on a buffer shared with in-guest OVMF create a time-of-check/time-of-use race (CWE-367) that, in default builds, lets the attacker control an index into a jump table - yielding attacker-influenced execution in the toolstack. Tracked as Xen Security Advisory XSA-478 with a CVSS 4.0 base score of 9.4; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Varstored
NVD
CVSS 4.0
9.4
EPSS
0.1%
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation to arbitrary code execution affects the Adobe Creative Cloud Desktop application through a Time-of-check Time-of-use (TOCTOU) race condition, letting a low-privileged local attacker execute code and - because the CVSS scope is changed - impact resources beyond the initial security context. No user interaction is required, but the race is hard to win: exploitation depends on conditions beyond the attacker's control, reflected in the high attack complexity. At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

RCE Creative Cloud Desktop
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

TOCTOU Race Condition in specific trace commands of the TraceEvent() system call could allow an attacker with local access and with the PROCMGR_AID_TRACE ability, to cause information disclosure, data tampering or a crash of the QNX Neutrino kernel.

Information Disclosure Qnx Software Development Platform Qnx Os For Safety +1
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH Exploit Unlikely This Month

Time-of-check time-of-use (toctou) race condition in Windows Subsystem for Linux allows an authorized attacker to perform tampering locally.

Microsoft Information Disclosure Windows Subsystem For Linux Wsl2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Elevation of privilege in the Windows Network File System (NFS) component affects a broad range of Microsoft platforms - Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025 - where an authorized attacker can win a time-of-check/time-of-use (TOCTOU) race condition over the network to gain higher privileges. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but high-complexity flaw requiring low-level existing privileges, with full high impact to confidentiality, integrity and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a Microsoft (MSRC) patch is available.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH Exploit Unlikely This Month

Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.

Microsoft Information Disclosure Microsoft Defender For Endpoint For Mac
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Defender for Endpoint for macOS lets an authenticated local attacker exploit a time-of-check-to-time-of-use race to gain elevated privileges. The flaw (CWE-367) requires winning a timing window between when Defender validates a resource and when it acts on it, yielding high confidentiality, integrity, and availability impact. Microsoft has published a fix, and there is no public exploit identified at time of analysis.

Microsoft Information Disclosure Microsoft Defender For Endpoint For Mac
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets a malicious kernel driver inside a Host VM issue improper commands to the GPU firmware, causing a memory write outside the host kernel's permitted range. The flaw is a TOCTOU race in which values are altered in memory after the firmware validates them but before it uses them, bypassing the firmware's range enforcement. No public exploit identified at time of analysis, EPSS is low (0.12%, 2nd percentile), and it is not listed in CISA KEV.

Information Disclosure Graphics Ddk
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-proxy user to reach internal-only HTTP services. The image-URL validation resolves the host once to a public IP, but open-sse/translator/concerns/image.js performs the actual server-side fetch with a separate DNS lookup, so an attacker-controlled name can rebind to an internal address between the two resolutions. No public exploit identified at time of analysis; the flaw is fixed in 0.5.2.

Information Disclosure 9Router
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Symlink-based extraction redirect in ChatterBot prior to 1.2.14 enables a local attacker with standard user privileges to cause training corpus archive contents to be written to an attacker-controlled directory by pre-planting a symlink at the predictable path ~/ubuntu_data/ubuntu_dialogs before UbuntuCorpusTrainer.extract() runs. The check-then-create pattern preceding tar.extractall() creates a CWE-367 TOCTOU window that, on shared multi-user systems, allows the attacker to intercept the extraction target without any race if the symlink is planted before the first training run. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 1.2.14.

Information Disclosure Chatterbot
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

Guest-to-host privilege escalation in varstored, the Xapi (XenServer/XCP-ng/Citrix Hypervisor) toolstack daemon that services UEFI variable requests for VMs, allows a malicious guest to corrupt control flow in the host-side process. Missing compiler barriers on a buffer shared with in-guest OVMF create a time-of-check/time-of-use race (CWE-367) that, in default builds, lets the attacker control an index into a jump table - yielding attacker-influenced execution in the toolstack. Tracked as Xen Security Advisory XSA-478 with a CVSS 4.0 base score of 9.4; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Varstored
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy