Race Condition

Improper synchronization of the userTokens map in Canonical Juju API server (versions 4.0.5, 3.6.20, and 2.9.56) enables authenticated users to trigger denial of service or reuse single-use discharge tokens due to a race condition. The vulnerability requires low privilege authentication and partial attacker timing control but allows complete availability impact to the server. EPSS score of 6.1 reflects moderate real-world exploitation risk, though no public exploit code or active exploitation has been confirmed.

Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)

Race in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Remnawave Backend prior to version 2.7.5 allows authenticated users to bypass HWID device registration limits through a race condition in the device registration logic, enabling subscription resale and excessive traffic consumption. The vulnerability requires valid authentication credentials but affects the integrity of subscription management controls across the system. A vendor-released patch is available in version 2.7.5.

In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

Use-after-free in Samsung Exynos Wi-Fi driver affects 11 mobile and wearable processor models via race condition triggered by concurrent ioctl calls. Local attackers with low privileges can exploit improper synchronization on a global variable to achieve high-impact compromise (confidentiality, integrity, availability). EPSS data not available; no confirmed active exploitation (not in CISA KEV); public exploit code status unknown. Attack complexity rated high (AC:H) due to race condition timing requirements, reducing immediate weaponization risk despite 7.0 CVSS score.

Race condition in Samsung Exynos Wi-Fi drivers enables local privilege escalation to kernel execution via double-free memory corruption. Affects 11 mobile and wearable processors (Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, W1000). Local attackers with low privileges can trigger memory corruption by racing ioctl calls across threads, achieving high confidentiality, integrity, and availability impact. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood despite CVSS 7.0 severity. No public exploit identified at time of analysis.

Race condition in Linux kernel QMan driver allows concurrent queue frame descriptor allocation and deallocation to corrupt internal state, causing WARN_ON triggers and potential information disclosure via stale fq_table entries. The vulnerability affects systems using Freescale/NXP QBMan queue management with dynamic FQID allocation enabled (QMAN_FQ_FLAG_DYNAMIC_FQID). No public exploit code or active exploitation confirmed; upstream fix merged via memory barrier enforcement to serialize table cleanup before FQID pool deallocation.

Linux kernel runtime PM subsystem contains a use-after-free race condition in pm_runtime_work() where the dev->parent pointer may be dereferenced after the parent device has been freed during device removal. This results in a KASAN-detectable memory safety violation that can trigger kernel panics or arbitrary memory access. The vulnerability affects all Linux kernel versions and is resolved by adding a flush_work() call to pm_runtime_remove() to serialize device removal with pending runtime PM work.

Race condition in Linux kernel net/mlx5e IPSec offload driver allows concurrent access to a shared DMA-mapped ASO context, potentially causing information disclosure or incorrect IPSec processing results. The vulnerability affects systems using Mellanox MLX5 network adapters with IPSec offload functionality. An attacker with local access to initiate multiple IPSec operations in rapid succession can trigger the race condition, corrupting the shared context and causing subsequent operations to read invalid data, compromising confidentiality and integrity of IPSec-protected traffic.

Linux kernel net/mlx5e driver suffers a race condition during IPSec ESN (Extended Sequence Number) update handling that causes incorrect ESN high-order bit increments, leading to anti-replay failures and IPSec traffic halts. The vulnerability affects systems using Mellanox ConnectX adapters with IPSec full offload mode enabled. Attackers with local network access or the ability to trigger IPSec traffic patterns could exploit this to disrupt encrypted communications, though no public exploit code or active exploitation has been reported.

Linux kernel net shaper module fails to validate netdev liveness during hierarchy read operations, allowing information disclosure through use-after-free conditions when a network device is unregistered while RCU-protected read operations are in progress. The vulnerability affects the netlink operation callbacks in the shaper subsystem, where references acquired during pre-callbacks are not validated before later lock/RCU acquisitions, creating a race condition that can expose kernel memory or cause denial of service. No public exploit code has been identified at time of analysis, and the issue requires local access to trigger netlink operations.

Linux kernel net shaper subsystem susceptible to race condition during hierarchy creation allows unauthenticated local attackers to leak kernel memory or trigger use-after-free conditions. The vulnerability arises when a netdev is unregistered between reference acquisition during Netlink operation preparation and subsequent lock acquisition, permitting hierarchy allocation after flush operations have completed. Fixed via upstream commits that consolidate locking to pre-callback phase, preventing concurrent write races with flush operations.

NAND flash device lock/unlock operations in the Linux kernel MTD subsystem can race with concurrent erase/write operations, causing cmd_pending conflicts on certain NAND controllers that use PIO-based SET_FEATURES. This race condition is resolved by serializing lock/unlock calls with the NAND device lock, preventing data corruption or system instability on affected controller implementations. The vulnerability affects all Linux kernel versions prior to the fix and is present in systems using raw NAND devices with specific controller hardware implementations.

Mutex lock-unlock mismatch in the Linux kernel's wlcore Wi-Fi driver allows potential information disclosure or system instability through improper synchronization. The vulnerability occurs when wl->mutex is unlocked without being locked first, detected by the Clang thread-safety analyzer. This affects all Linux kernel versions with the wlcore Wi-Fi driver. No active exploitation has been identified, but the bug creates a race condition that could be leveraged to access shared kernel state.

Authentication bypass via OAuth token race condition in tinyauth allows concurrent attackers to hijack user sessions and gain unauthorized access to victim accounts. The vulnerability affects tinyauth v5.0.4 and earlier versions where singleton OAuth service instances share mutable PKCE verifier and access token fields across all concurrent requests. When two users authenticate simultaneously with the same OAuth provider (GitHub, Google, or generic OAuth), the second request overwrites the first user's token, causing the first user to receive a session with the second user's identity and access privileges. Go race detector confirms 99.9% exploit success rate (9,985/10,000 iterations) in concurrent scenarios. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept demonstrates reliable session hijacking with publicly available exploit methodology. EPSS data not available for this recent CVE.

Local privilege escalation to SYSTEM via race condition in Lakeside SysTrack Agent 11 (versions prior to 11.2.1.28) allows unauthenticated local attackers to gain complete system control through timing-dependent exploitation. EPSS risk assessment and KEV status not available at time of analysis; no public exploit identified at time of analysis. Attack complexity is rated high, requiring precise timing manipulation of concurrent operations.

Parse Server LiveQuery leaks protected fields and authentication data across concurrent subscribers due to shared mutable object state. When multiple clients subscribe to the same class, race conditions in the sensitive data filter allow one subscriber's field filtering to affect other subscribers, exposing data that should remain protected or delivering incomplete objects to authorized clients. Deployments using LiveQuery with protected fields or afterEvent triggers face unauthorized information disclosure. Vendor-released patches are available for Parse Server 8 and 9. No public exploit identified at time of analysis, though the vulnerability is straightforward to trigger in affected configurations.

Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.

WWBN AVideo up to version 26.0 allows authenticated attackers to conduct concurrent balance transfers that exploit a Time-of-Check-Time-of-Use (TOCTOU) race condition in the wallet module, enabling arbitrary financial value multiplication without database transaction protection. An attacker with multiple authenticated sessions can trigger parallel transfer requests that each read the same wallet balance, all pass the sufficiency check independently, but result in only a single deduction while the recipient receives multiple credits. The vulnerability requires local authentication and moderate attacker effort (AC:H) but carries high integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.

Cross-user data leakage in elixir-nodejs library versions prior to 3.1.4 allows authenticated users to receive sensitive data belonging to other users through a race condition in the worker protocol's request-response handling. The lack of request-response correlation causes stale responses to be delivered to unrelated callers in high-throughput environments, potentially exposing PII, authentication tokens, or private records. No public exploit identified at time of analysis, though the vulnerability is documented in GitHub issue #100 with technical details publicly available.

Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attackers to trigger undefined behavior and potential memory corruption through unauthenticated MQTT messages. The data race condition in Charger::shared_context occurs when processing switch_three_phases_while_charging commands without proper locking, yielding CVSS 8.2 (High) with potential for availability disruption and data integrity impact. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication requirements (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).

Data race conditions in EVerest Core versions before 2026.02.0 allow concurrent access to charging state during phase switching operations, potentially causing integrity violations or service interruptions on affected EV charging systems. An attacker with adjacent network access can trigger the race condition by initiating phase switches during active charging sessions, exploiting the unsafe concurrent execution between the state machine and switching requests. No patch is currently available for this vulnerability.

Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to corrupt critical data structures when CSMS GetLog or UpdateFirmware requests coincide with EVSE fault events, potentially causing information disclosure, data integrity issues, and high availability impact. The vulnerability affects all versions prior to 2026.02.0, for which a vendor patch is available. SSVC analysis indicates no current exploitation, non-automatable attack surface, and partial technical impact. EPSS data not provided; no public exploit identified at time of analysis.

EVerest EV charging software prior to version 2026.02.0 contains a race condition in concurrent map access that can corrupt internal data structures when EV state-of-charge updates coincide with power meter refreshes and session termination events. Local attackers with physical access to charging equipment can trigger this condition to cause denial of service by crashing the charging system. Patch availability is limited to version 2026.02.0 and later.

EVerest EV charging software versions before 2026.02.0 contain a race condition in std::string handling triggered by concurrent EVCCID updates and OCPP session events, potentially leading to heap-use-after-free and denial of service. Local attackers with physical access to the charging infrastructure can exploit this timing-dependent vulnerability to crash the charging service. A patch is available in version 2026.02.0 or later.

Concurrent access to std::map<std::optional> in EVerest-Core versions prior to 2026.02.0 causes a data race condition that can corrupt container state during simultaneous EV state-of-charge updates, power meter periodic updates, and session termination events, resulting in denial of service of the EV charging stack. EVerest-Core (cpe:2.3:a:everest:everest-core) is the affected product, with patched version 2026.02.0 available. No public exploit code has been identified at time of analysis, and this vulnerability is not confirmed actively exploited; however, the condition is readily triggerable through normal charging operations combining multiple concurrent data sources.

A race condition exists in the Linux kernel's AF_UNIX socket implementation where the garbage collector (GC) can incorrectly purge receive queues of alive sockets when MSG_PEEK operations occur concurrently with socket closure. The vulnerability affects all Linux kernel versions and allows local attackers with socket access to cause information disclosure or denial of service by triggering the race condition between MSG_PEEK, socket closure, and GC execution. A proof-of-concept demonstrating the issue has been publicly reported by Igor Ushakov, and patches are available in the stable kernel tree.

This vulnerability is an AB-BA deadlock in the Linux kernel's PHY (Physical Layer) LED trigger subsystem that occurs when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled simultaneously. The deadlock arises because PHY LED triggers are registered during the phy_attach phase while holding the RTNL lock, then attempting to acquire the triggers_list_lock, while the netdev LED trigger code does the reverse-holding triggers_list_lock and attempting to acquire RTNL. This deadlock affects all Linux kernel versions with the affected PHY and LED trigger subsystems enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while not directly exploitable for privilege escalation, it can be triggered to cause a system hang or denial of service by users with network configuration privileges or via userspace LED sysfs writes.

A locking initialization vulnerability exists in the Linux kernel's CAN BCM (Broadcast Manager) socket implementation where the bcm_tx_lock spinlock is not properly initialized in the RX setup path, creating a race condition when RX_RTR_FRAME flag processing attempts to transmit frames. This affects all Linux kernel versions with the vulnerable CAN BCM code, and while no public exploit is known, the vulnerability could lead to kernel memory corruption or denial of service if the uninitialized lock is accessed during concurrent RTR frame handling.

This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.

A deadlock vulnerability exists in the Linux kernel's mcp251x CAN bus driver where the mcp251x_open() function calls free_irq() while holding the mpc_lock mutex during error handling, causing the function to deadlock if an interrupt occurs simultaneously. This affects all Linux kernel versions with the vulnerable mcp251x driver code, and while not actively exploited in the wild (no KEV status indicates no in-the-wild exploitation), it represents a local denial of service condition where a user with appropriate device access can trigger driver initialization failures that hang the system.

A logic error in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem causes drbd_al_begin_io_nonblock() to fail silently when activity log extent acquisition fails due to spinlock contention, leading to loss of mutual exclusivity guarantees between resync and application I/O operations. This vulnerability affects all Linux kernel versions with the affected DRBD code and can result in kernel crashes via BUG_ON() assertions when activity log references are incorrectly released, as well as potential data consistency issues during active resync operations when concurrent application I/O proceeds without proper exclusivity enforcement.

This vulnerability is a race condition in the Linux kernel's libata subsystem where pending work is not properly canceled after clearing a deferred queue command (deferred_qc), leading to a WARN_ON() condition when the stale work eventually executes. The vulnerability affects all Linux kernel versions with the vulnerable libata code path, impacting systems using ATA/SATA disk controllers. An attacker with local access could trigger this condition through specific command sequences involving NCQ and non-NCQ commands, causing kernel warnings and potential system instability, though direct privilege escalation is not demonstrated.

A race condition exists in the Linux kernel's CXL (Compute Express Link) subsystem where the nvdimm_bus object can be invalidated while orphaned nvdimm objects attempt to reprobe, leading to a NULL pointer dereference in kobject_get() during device registration. This affects Linux kernels with CXL support enabled, allowing a local attacker or system administrator to trigger a kernel panic (denial of service) through module unload/reload sequences or specific timing during CXL ACPI probe operations. No active exploitation in the wild has been reported, but the vulnerability is easily reproducible via the cxl-translate.sh unit test with minimal timing manipulation.

A race condition exists in the Linux kernel's eBPF CPU map implementation on PREEMPT_RT systems, where concurrent access to per-CPU packet queues can cause memory corruption and kernel crashes. This vulnerability affects Linux kernel versions across multiple branches and can be triggered by tasks running on the same CPU, potentially allowing local denial of service or information disclosure. A proof-of-concept has been made available via syzkaller, and patches have been released through the official Linux kernel stable repositories.

A lockdep-detected invalid wait context vulnerability exists in the Linux kernel's performance event scheduling subsystem, specifically in the ctx_sched_in() function when handling pinned events. The vulnerability affects all Linux kernel versions (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) and arises when the kernel attempts to acquire a wait-queue lock while already holding a perf-context lock, violating lock ordering rules and potentially causing system hangs or crashes. This is a kernel-level synchronization bug that can be triggered by unprivileged users with access to perf event tracing capabilities, though active exploitation in the wild has not been documented.

This vulnerability is a data-race condition in the Linux kernel where socket callback pointers (sk->sk_data_ready and sk->sk_write_space) are being modified concurrently by skmsg and other kernel layers without proper synchronization, potentially leading to information disclosure. All Linux kernel versions are affected across all architectures and distributions (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), with the issue impacting UDP, TCP, and AF_UNIX socket implementations. An attacker with local access could potentially exploit this race condition to read sensitive data or cause memory corruption by triggering concurrent modifications to these critical function pointers.

A deadlock vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that occurs when an application issues a query IOCTL while the device is undergoing auto-suspend. The vulnerability affects all Linux distributions shipping the vulnerable kernel code. An attacker with local access to the system can trigger this deadlock by issuing query IOCTLs concurrently with power management events, causing a complete hang of the AMD XDNA accelerator subsystem and denial of service to legitimate applications. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified, but the fix has been integrated into the stable Linux kernel.

A recursive locking vulnerability exists in the Linux kernel's target core configfs implementation where the target_core_item_dbroot_store() function attempts to open a file using filp_open() while already holding a semaphore (frag_sem) acquired in flush_write_buffer(), creating a deadlock condition when the same configfs file is accessed. This affects all Linux kernel versions with the vulnerable target subsystem code, and while no CVSS score or EPSS data is publicly available, the vulnerability has been resolved across multiple stable kernel branches with patch commits available in the kernel git repository, suggesting active acknowledgment of the issue as a legitimate kernel bug requiring remediation.

Sandbox escape vulnerability in macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) allows locally-installed applications to break out of their sandbox restrictions through a race condition. An attacker with the ability to run an application on an affected system could exploit this to gain unauthorized access outside the application's intended security boundaries. No patch is currently available for this HIGH severity vulnerability (CVSS 8.1).

macOS systems running Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, or Tahoe 26.3 and earlier are vulnerable to a race condition in application state handling that allows local attackers to trigger unexpected system termination and cause denial of service. The vulnerability requires specific timing conditions but does not require user interaction or elevated privileges to exploit. Apple has released patches for affected versions, though exploitation likelihood remains low.

Sandboxed processes on Apple macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) can escape sandbox isolation due to a race condition in state handling, allowing local attackers to bypass security restrictions and potentially execute arbitrary operations with elevated privileges. No patch is currently available for affected systems. The vulnerability requires local access and specific timing conditions but carries high impact across confidentiality, integrity, and availability.

macOS systems running Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, and Tahoe 26.3 and earlier contain a race condition in state handling that allows local applications to escalate privileges to root. The vulnerability stems from improper synchronization during critical operations, enabling an attacker with local access to exploit the timing window and gain elevated system privileges. Patches have been released for affected macOS versions.

N2WS Backup & Recovery before version 4.4.0 contains a remote code execution vulnerability in its RESTful API that requires a two-step attack chain to exploit. An unauthenticated attacker can execute arbitrary code on affected systems, potentially compromising backup and disaster recovery infrastructure. This vulnerability affects the N2WS product line and should be treated as critical given the RCE classification and the security-sensitive nature of backup systems.

NVIDIA Triton Inference Server contains a race condition vulnerability (CWE-362) that allows unauthenticated remote attackers to corrupt internal server state, resulting in a denial of service. The vulnerability affects NVIDIA Triton Inference Server across multiple versions and can be exploited over the network with low attack complexity requiring no privileges or user interaction. With a CVSS score of 7.5 (High) and an EPSS score not provided, this represents a significant availability risk for organizations running AI/ML inference workloads.

NVIDIA Triton Inference Server's Sagemaker HTTP server contains a race condition vulnerability that allows unauthenticated remote attackers to trigger an exception, resulting in denial of service. The vulnerability affects NVIDIA Triton Inference Server deployments using the Sagemaker HTTP server component and can be exploited over the network without authentication or user interaction. There is no indication of active exploitation (not in CISA KEV), and EPSS data was not provided, but the CVSS score of 7.5 (High) reflects the ease of exploitation.

Mozilla Firefox's WebRender graphics component contains a race condition and use-after-free vulnerability that enables remote code execution when a user visits a malicious webpage. The flaw affects Firefox versions prior to 149, Firefox ESR versions before 115.34 and 140.9, and requires user interaction to trigger. No patch is currently available for this high-severity issue.

Citrix NetScaler ADC and Gateway instances configured for SSL VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers are vulnerable to a race condition that enables authenticated attackers to hijack other users' sessions. An attacker with valid credentials can exploit timing-dependent conditions to cause session mixup between concurrent users, potentially gaining unauthorized access to sensitive resources or impersonating other authenticated users. No patch is currently available for this high-severity vulnerability.

Node.js applications using Effect library versions 3.19.15 and earlier with @effect/rpc 0.72.1 and @effect/platform 0.94.2 are vulnerable to context confusion due to improper AsyncLocalStorage handling in the MixedScheduler, allowing attackers to access sensitive data from other concurrent requests through race conditions. An attacker can exploit the batching mechanism to read or modify context belonging to different requests processed in the same microtask cycle, potentially leading to data leakage between users in multi-tenant environments. No patch is currently available.

OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers.

This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.

A race condition vulnerability exists in the Linux kernel's /proc/net/ptype implementation where concurrent readers and writers violate RCU (Read-Copy-Update) synchronization rules, allowing information disclosure through unsafe access to device pointers. The vulnerability affects all Linux kernel versions with the vulnerable ptype_seq_show() and ptype_seq_next() functions. An attacker with local access can trigger RCU stalls, kernel panics, or read uninitialized kernel memory by racing concurrent packet type structure modifications against /proc/net/ptype reads, potentially leaking sensitive kernel data or causing denial of service.

Devise's Confirmable module with the reconfirmable option enabled contains a race condition that allows attackers to confirm email addresses they don't control by sending concurrent email change requests. By exploiting the desynchronization between the confirmation token and unconfirmed email fields, an attacker can redirect a victim's email confirmation to their own account. This affects all Devise applications using the default Confirmable configuration with email changes, and is patched in Devise v5.0.3.

SandboxJS 0.8.34 contains a race condition where a shared global tick state allows concurrent sandboxes to interfere with each other's execution quotas during timer callback compilation. An attacker in a multi-tenant environment can exploit this to bypass resource limits and exhaust CPU/memory on the host system. A patch is available.

TeraWallet for WooCommerce versions up to 1.5.15 contain a race condition in concurrent transaction handling that allows authenticated attackers to manipulate wallet integrity and perform unauthorized financial operations. An attacker with user-level access can exploit improper synchronization during simultaneous requests to bypass transaction controls and modify account balances. No patch is currently available for this vulnerability.

Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37

Workspace boundary enforcement currently has three related bypass risks. This issue tracks fixing all three in one pull request. - What happens: Path validation can miss dangling symlink components during traversal checks. - Why it matters: A symlink that is unresolved at validation time can later resolve to an external location. - Impact: Read and write operations may escape workspace boundaries. - Affected area: src/security/path.rs (check_symlink_escape). - What happens: The path is validated first, then used later for filesystem operations. - Why it matters: A concurrent filesystem change can swap path components after validation but before open/write. - Impact: Race-based workspace escape is possible. - Affected area: Filesystem and file-consuming tools that call validate_path_in_workspace before I/O. - What happens: A file inside workspace can be a hardlink to an inode outside the intended workspace trust boundary. - Why it matters: Prefix and symlink checks can pass while data access still mutates or reads external content. - Impact: Policy bypass for read/write operations. - Affected area: Any tool that reads or writes via validated paths. | ID | Risk | Severity | Likelihood | Impact | |---|---|---|---|---| | R1 | Dangling symlink component bypass | High | Medium | Workspace boundary escape for read/write | | R2 | Validate/use TOCTOU race | High | Medium | Race-based boundary escape during file I/O | | R3 | Hardlink alias bypass | Medium | Low-Medium | External inode read/write through in-workspace path | 1. Create a symlink inside workspace pointing to a missing target. 2. Validate a path traversing that symlink. 3. Create the target directory outside workspace after validation. 4. Perform file operation and observe potential boundary escape if not fail-closed. 1. Validate a candidate in-workspace path. 2. Before open/write, replace an intermediate component with a link to external location. 3. Continue with the file operation. 4. Observe boundary escape if operation trusts only stale validation result. 1. Place a hardlink inside workspace that points to an external inode. 2. Validate the in-workspace hardlink path. 3. Read or write through this path. 4. Observe external inode access through a path that appears in-scope. Unauthorized cross path boundary [@zpbrent](https://github.com/zpbrent) [f50c17e11ae3e2d40c96730abac41974ef2ee2a8](https://github.com/qhkm/zeptoclaw/commit/f50c17e11ae3e2d40c96730abac41974ef2ee2a8)

Time-of-check time-of-use race condition in the UEFI PdaSmm module for some Intel(R) reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure.

Time-of-check time-of-use race condition in the WheaERST SMM module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege.

Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where concurrent requests can bypass redemption restrictions by exploiting a gap between eligibility validation and usage increment operations. An unauthenticated attacker can exploit this TOCTOU vulnerability to redeem promotions or coupons beyond their configured usage limits, potentially causing financial loss through unintended discounts. No patch is currently available.

In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. [CVSS 2.9 LOW]

Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.

Windows Kerberos authentication in Server 2012 and Windows 10 (versions 1607, 1809) contains a race condition that enables unauthenticated remote attackers to circumvent security feature protections. The synchronization flaw in concurrent resource access allows attackers to bypass intended security controls without user interaction over the network. No patch is currently available for this vulnerability.

Privilege escalation in Windows Device Association Service (Windows 10 versions 1607, 1809, and 21H2) stems from improper synchronization of shared resources, enabling local authenticated users to gain elevated system privileges. The vulnerability requires high attack complexity and no user interaction, making it exploitable by insiders or compromised local accounts. No patch is currently available.

Privilege escalation in Windows Device Association Service across Windows 10, 11, and Server 2022 stems from improper synchronization of shared resources, enabling local authenticated users to gain elevated system privileges. The vulnerability requires local access and specific timing conditions but poses high risk due to its impact on confidentiality, integrity, and availability. No patch is currently available.

Privilege escalation in the Windows Bluetooth RFCOM Protocol Driver across Windows 11 26h1, Windows Server 2025, and Windows 10 1809 stems from improper synchronization of concurrent access to shared resources. An authenticated local attacker can exploit this race condition to gain elevated privileges on affected systems. No patch is currently available for this vulnerability.

Local privilege escalation in Microsoft Graphics Component on Windows Server 2016 and Windows 11 23h2 stems from improper synchronization of shared resources, enabling authenticated attackers to gain elevated privileges. The race condition vulnerability requires local access and specific timing conditions but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Privilege escalation in CODESYS Development System installer exploits a time-of-check-time-of-use (TOCTOU) race condition, allowing a low-privileged local attacker to gain elevated rights when a legitimate user initiates a system update or installation. An attacker with local access can manipulate files during the installation process window to execute arbitrary code with elevated privileges. No patch is currently available, and the vulnerability requires user interaction but poses significant risk to system integrity and confidentiality.

CoreDNS versions prior to 1.14.2 allow authenticated attackers to bypass DNS access controls through a Time-of-Check Time-of-Use race condition in the plugin execution chain, where the rewrite plugin processes requests after security plugins like ACL have already validated them. An attacker with network access can exploit this logical flaw to access DNS records that should be restricted by configured access control policies. No patch is currently available for affected deployments.

Race condition vulnerability in the device security management module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.7 MEDIUM]

Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.6 MEDIUM]

Race condition vulnerability in the security control module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.0 MEDIUM]

Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.9 MEDIUM]

Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]

Race condition vulnerability in the maintenance and diagnostics module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.4 MEDIUM]

Insecure permissions in App-Auto-Patch v3.4.2 create a race condition which allows attackers to write arbitrary files. [CVSS 7.8 HIGH]

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. [CVSS 3.7 LOW]

Improper Locking vulnerability (CWE-667) in Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server. [CVSS 2.5 LOW]

In multiple functions of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.0 HIGH]

In multiple functions of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.4 HIGH]

In multiple locations, there is a possible lockscreen bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.4 HIGH]

An issue has been identified in Arm C1-Pro before r1p2-50eac0, where, under certain conditions, a TLBI+DSB might fail to ensure the completion of memory accesses related to SME. [CVSS 3.6 LOW]

Android versions up to 14.0 contains a vulnerability that allows attackers to local denial of service if a malicious actor has already obtained the System pri (CVSS 4.4).

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.4).

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]

Firefox and Thunderbird versions below 148 contain a race condition in the JavaScript garbage collection component that could allow an attacker to access or modify limited data through specially crafted content requiring user interaction. The vulnerability has a CVSS score of 4.2 and currently lacks an available patch.

Multiple usage tokens in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 can be consumed beyond their intended limits due to a race condition in token validation logic where usage checks and database updates are not atomic. An authenticated attacker with access to a valid impersonation token can exploit concurrent requests to bypass usage restrictions and reuse single-use tokens multiple times. Patches are available for affected versions.