Race Condition
Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use).
How It Works
Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use). An attacker sends nearly simultaneous requests to manipulate shared state before the application can enforce its business logic. For example, when redeeming a gift voucher, Request A checks the balance, Request B also checks while A is processing, then both complete successfully—redeeming the voucher twice.
Attackers use specialized techniques to achieve precise timing. HTTP/2's multiplexing allows 20-30 requests in a single TCP packet, arriving virtually simultaneously at the server. For HTTP/1.1, "last-byte synchronization" holds back the final byte of multiple requests, then releases them together. These methods reduce network jitter to microseconds, maximizing collision probability.
Advanced attacks include multi-endpoint collisions (hitting different API paths that share state), exploiting partial object construction (accessing resources before initialization completes), and single-endpoint confusion (causing a function to process stale state by overwhelming it with requests).
Impact
- Financial fraud: Redeeming coupons multiple times, withdrawing beyond account balance, applying discounts repeatedly
- Authentication bypass: Reusing CAPTCHA tokens, bypassing rate limits on login attempts, exploiting session validation gaps
- Resource exhaustion: Claiming limited inventory multiple times, booking the same seat/room concurrently
- Data corruption: Simultaneous writes creating inconsistent database states, inventory counts becoming negative
- Access control violations: Exploiting privilege checks to access unauthorized resources during state transitions
Real-World Examples
In 2019, security researchers demonstrated race conditions in major e-commerce platforms allowing users to purchase items at massive discounts by applying the same promotional code dozens of times within milliseconds. The applications checked voucher validity but didn't atomically mark them as used.
TOCTOU vulnerabilities have been found in cryptocurrency exchanges where concurrent withdrawal requests could drain more funds than an account held. Attackers automated HTTP/2 packet timing to submit multiple withdrawal requests before the balance update propagated, essentially duplicating money.
File upload race conditions have enabled remote code execution when attackers upload malicious files and execute them before security scanners complete validation-the check happens, but the file runs before removal.
Mitigation
- Database transactions with row-level locking: Wrap check-and-update logic in ACID transactions with SELECT FOR UPDATE
- Idempotency keys: Require unique request identifiers; reject duplicates within a time window
- Uniqueness constraints: Database-level UNIQUE constraints on critical fields (voucher redemptions, order IDs)
- Atomic operations: Use database built-ins like DECREMENT with bounds checking, compare-and-swap primitives
- Application-level mutexes: Distributed locks (Redis, memcached) around critical sections, ensuring single execution
- Rate limiting per resource: Throttle requests per user AND per target resource (not just per IP)
- Sequence validation: Check monotonically increasing counters or nonces to detect concurrent modification
Recent CVEs (1816)
In the Linux kernel, the following vulnerability has been resolved: sock_map: avoid race between sock_map_close and sk_psock_put sk_psock_get will return NULL if the refcount of psock has gone to 0,. Rated medium severity (CVSS 4.7).
A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In DevmemIntUnexportCtx of devicemem_server.c, there is a possible arbitrary code execution due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.
In _UnrefAndMaybeDestroy of pmr.c, there is a possible arbitrary code execution due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.
In multiple functions of MessageQueueBase.h, there is a possible out of bounds write due to a race condition. Rated high severity (CVSS 7.0).
In the Linux kernel, the following vulnerability has been resolved: bonding: fix oops during rmmod "rmmod bonding" causes an oops ever since commit cc317ea3d927 ("bonding: remove redundant NULL check. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: Revert "xsk: Support redirect to any socket bound to the same umem" This reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: btrfs: protect folio::private when attaching extent buffer folios [BUG] Since v6.8 there are rare kernel crashes reported by. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix crash on racing fsync and size-extending write into prealloc We have been seeing crashes on duplicate keys in. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: media: ti: j721e-csi2rx: Fix races while restarting DMA After the frame is submitted to DMA, it may happen that the submitted list. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: m68k: Fix spinlock race in kernel thread creation Context switching does take care to retain the correct lock owner across the. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks The reader code in rb_get_reader_page() swaps a new reader page into the. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg A data-race condition has been identified in af_unix. Rated medium severity (CVSS 4.7).
A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In sec_media_protect of media.c, there is a possible permission bypass due to a race condition. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In gpu_pm_power_off_top_nolock of pixel_gpu_power.c, there is a possible compromise of protected memory due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.
In sec_media_unprotect of media.c, there is a possible memory corruption due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in __ip_make_skb() KMSAN reported uninit-value access in __ip_make_skb() [1]. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device. Rated high severity (CVSS 7.0).
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel(). Rated medium severity (CVSS 5.6).
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() When I did memory failure tests recently, below warning. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Disable idle reallow as part of command/gpint execution [Why] Workaroud for a race condition where DMCUB is in the. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_uart: properly fix race condition The cros_ec_uart_probe() function calls devm_serdev_device_open() before. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: flush pending destroy work before exit_net release Similar to 2c9f0293280e ("netfilter: nf_tables: flush. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle callbacks before driver removal A race condition between the .runtime_idle() callback and the .remove(). Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race in read_extent_buffer_pages() There are reports from tree-checker that detects corrupted nodes, without any obvious. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: netrom: Fix data-races around sysctl_net_busy_read We need to protect the reader reading the sysctl value because the value can be. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: confirm multicast packets before passing them up the stack conntrack nf_confirm logic cannot handle cloned skbs. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup The Linked list element and pointer are. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data races on remote_id Similar to the previous patch, address the data race on remote_id, adding the suitable ONCE. Rated medium severity (CVSS 4.7).
Race condition vulnerability in the binder driver module Impact: Successful exploitation of this vulnerability will affect availability. Rated medium severity (CVSS 4.7). No vendor patch available.
Out-of-bounds access vulnerability in the memory module Impact: Successful exploitation of this vulnerability will affect availability. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Stellar-core is a reference implementation for the peer-to-peer agent that manages the Stellar network. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when detecting delalloc ranges during fiemap For fiemap we recently stopped locking the target extent range for the. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: nouveau: lock the client object tree. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: tmpfs: fix race on handling dquot rbtree A syzkaller reproducer found a race while attempting to remove dquot information from the. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Use separate handlers for interrupts For PF to AF interrupt vector and VF to AF vector same interrupt handler is. Rated medium severity (CVSS 6.3).
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() nft_unregister_expr() can concurrent with. Rated high severity (CVSS 7.0).
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: s390/cio: fix race condition during online processing A race condition exists in ccw_device_set_online() that can cause the online. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: interconnect: Don't access req_list while it's being manipulated The icc_lock mutex was split into separate icc_lock and. Rated medium severity (CVSS 6.3).
In the Linux kernel, the following vulnerability has been resolved: nouveau: fix instmem race condition around ptr stores Running a lot of VK CTS in parallel against nouveau, once every few hours you. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In plugins/HookSystem.cpp in Hyprland through 0.39.1 (before 28c8561), through a race condition, a local attacker can cause execution of arbitrary assembly code by writing to a predictable temporary. Rated high severity (CVSS 7.0). No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting. Rated medium severity (CVSS 4.7).
A vulnerability, which was classified as problematic, has been found in COVESA vsomeip up to 3.4.10. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix performance regression in swap operation The patch "netfilter: ipset: fix race condition between swap/destroy. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete The ath9k_wmi_event_tasklet() used in ath9k_htc assumes. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: quota: Fix potential NULL pointer dereference Below race may cause NULL pointer dereference P1 P2 dquot_free_inode quota_off. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate meta inode pages forcely Below race case can cause data corruption: Thread A GC thread - gc_data_segment -. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: packet: annotate data-races around ignore_outgoing ignore_outgoing is read locklessly from dev_queue_xmit_nit() and. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: wireguard: receive: annotate data-race around receiving_counter.counter Syzkaller with KCSAN identified a data-race issue when. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: net/bnx2x: Prevent access to a freed page in page_pool Fix race condition leading to system crash during EEH error handling During. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Lock external INTx masking ops Mask operations through config space changes to DisINTx may race INTx configuration. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.
A race condition in the installer executable in Qlik Qlikview before versions May 2022 SR3 (12.70.20300) and May 2023 SR2 (12,80.20200) may allow an existing lower privileged user to cause code to be. Rated high severity (CVSS 7.8). No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix race condition on enabling fast-xmit fast-xmit must only be enabled after the sta has been uploaded to the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove In commit ac5047671758 ("hv_netvsc: Disable NAPI before. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following. Rated medium severity (CVSS 4.7).
Possible race condition vulnerability in Apache Doris. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. Rated medium severity (CVSS 5.7). No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: move mmu notification mechanism inside mm lock Move mmu notification mechanism inside mm lock to prevent race. Rated high severity (CVSS 7.0).
A race condition was addressed with additional validation. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. No vendor patch available.
A race condition was addressed with improved state handling. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. No vendor patch available.
A race condition was addressed with additional validation. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. No vendor patch available.
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.2.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may. Rated medium severity (CVSS 4.7).
In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as. Rated medium severity (CVSS 4.7).
In removePersistentDot of SystemStatusAnimationSchedulerImpl.kt, there is a possible race condition due to a logic error in the code. Rated high severity (CVSS 7.0).
A Race Condition discovered in geofence.cpp and mission_feasibility_checker.cpp in PX4 Autopilot 1.14 and earlier allows attackers to send drones on unintended missions. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
PX4 Autopilot 1.14 and earlier, due to the lack of synchronization mechanism for loading geofence data, has a Race Condition vulnerability in the geofence.cpp and mission_feasibility_checker.cpp. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. Rated medium severity (CVSS 4.7). No vendor patch available.
A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. Rated medium severity (CVSS 6.3). No vendor patch available.
A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. No vendor patch available.
A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. Rated medium severity (CVSS 4.6). No vendor patch available.
A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. Rated medium severity (CVSS 4.6). No vendor patch available.
A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. Rated medium severity (CVSS 4.6). No vendor patch available.
A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. Rated medium severity (CVSS 5.0). No vendor patch available.
A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. Rated medium severity (CVSS 4.7). No vendor patch available.
A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. Rated medium severity (CVSS 4.7). No vendor patch available.
In mp3 decoder, there is a possible out of bounds write due to a race condition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in the Flow-processing Daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A race condition was addressed with improved state handling. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.
Quick Facts
- Typical Severity
- MEDIUM
- Category
- web
- Total CVEs
- 1816