Skip to main content

Race Condition

web MEDIUM

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use).

How It Works

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use). An attacker sends nearly simultaneous requests to manipulate shared state before the application can enforce its business logic. For example, when redeeming a gift voucher, Request A checks the balance, Request B also checks while A is processing, then both complete successfully—redeeming the voucher twice.

Attackers use specialized techniques to achieve precise timing. HTTP/2's multiplexing allows 20-30 requests in a single TCP packet, arriving virtually simultaneously at the server. For HTTP/1.1, "last-byte synchronization" holds back the final byte of multiple requests, then releases them together. These methods reduce network jitter to microseconds, maximizing collision probability.

Advanced attacks include multi-endpoint collisions (hitting different API paths that share state), exploiting partial object construction (accessing resources before initialization completes), and single-endpoint confusion (causing a function to process stale state by overwhelming it with requests).

Impact

  • Financial fraud: Redeeming coupons multiple times, withdrawing beyond account balance, applying discounts repeatedly
  • Authentication bypass: Reusing CAPTCHA tokens, bypassing rate limits on login attempts, exploiting session validation gaps
  • Resource exhaustion: Claiming limited inventory multiple times, booking the same seat/room concurrently
  • Data corruption: Simultaneous writes creating inconsistent database states, inventory counts becoming negative
  • Access control violations: Exploiting privilege checks to access unauthorized resources during state transitions

Real-World Examples

In 2019, security researchers demonstrated race conditions in major e-commerce platforms allowing users to purchase items at massive discounts by applying the same promotional code dozens of times within milliseconds. The applications checked voucher validity but didn't atomically mark them as used.

TOCTOU vulnerabilities have been found in cryptocurrency exchanges where concurrent withdrawal requests could drain more funds than an account held. Attackers automated HTTP/2 packet timing to submit multiple withdrawal requests before the balance update propagated, essentially duplicating money.

File upload race conditions have enabled remote code execution when attackers upload malicious files and execute them before security scanners complete validation-the check happens, but the file runs before removal.

Mitigation

  • Database transactions with row-level locking: Wrap check-and-update logic in ACID transactions with SELECT FOR UPDATE
  • Idempotency keys: Require unique request identifiers; reject duplicates within a time window
  • Uniqueness constraints: Database-level UNIQUE constraints on critical fields (voucher redemptions, order IDs)
  • Atomic operations: Use database built-ins like DECREMENT with bounds checking, compare-and-swap primitives
  • Application-level mutexes: Distributed locks (Redis, memcached) around critical sections, ensuring single execution
  • Rate limiting per resource: Throttle requests per user AND per target resource (not just per IP)
  • Sequence validation: Check monotonically increasing counters or nonces to detect concurrent modification

Recent CVEs (1817)

EPSS 0% CVSS 7.0
HIGH This Week

A race condition was addressed with improved state handling. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

Race Condition Apple Information Disclosure +1
NVD
EPSS 1% CVSS 3.1
LOW PATCH Monitor

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.2.0. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.

Apache Race Condition Information Disclosure +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Month

Windows Hyper-V Remote Code Execution Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is no authentication required.

Microsoft Race Condition RCE +10
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Race condition in snap-confine's must_mkdir_and_open_with_perms(). Rated high severity (CVSS 7.8). Public exploit code available.

Race Condition Information Disclosure Snapd +1
NVD GitHub
EPSS 1% CVSS 3.1
LOW PATCH Monitor

A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.

Race Condition Information Disclosure Audited
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM This Month

Defective request context handling in Self Service in LinOTP 3.x before 3.2.5 allows remote unauthenticated attackers to escalate privileges, thereby allowing them to act as and with the permissions. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Privilege Escalation Linotp +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller than necessary. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Race Condition Apple +7
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A race condition issue discovered in Samsung Mobile Processor Exynos 9820, 980, 1080, 2100, 2200, 1280, and 1380 allows unintended modifications of values within certain areas. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Samsung Information Disclosure +7
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Denial Of Service Privilege Escalation +1
NVD
EPSS 8% CVSS 8.1
HIGH PATCH This Week

In multiple functions of MetaDataBase.cpp, there is a possible UAF write due to a race condition. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition Privilege Escalation Android
NVD
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

A race condition in go-resty can result in HTTP request body disclosure across requests. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Race Condition Information Disclosure Resty
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC This Month

The kk Star Ratings WordPress plugin before 5.4.6 does not implement atomic operations, allowing one user vote multiple times on a poll due to a Race Condition. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Race Condition Information Disclosure WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Hyperledger Fabric is an open source permissioned distributed ledger framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Race Condition Information Disclosure Fabric
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

A race condition in System Management Mode (SMM) code may allow an attacker using a compromised user space to leverage CVE-2018-8897 potentially resulting in privilege escalation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Privilege Escalation Ryzen 3 5100 Firmware +70
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Windows Kernel Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Microsoft +11
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The YOP Poll plugin for WordPress is vulnerable to a race condition in all versions up to, and including, 6.5.26. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Race Condition Information Disclosure WordPress +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Race Condition Information Disclosure Harbor
NVD GitHub
EPSS 1% CVSS 3.7
LOW PATCH Monitor

ZITADEL provides identity infrastructure. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Zitadel
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

SchedMD Slurm 23.02.x before 23.02.6 and 22.05.x before 22.05.10 allows filesystem race conditions for gaining ownership of a file, overwriting a file, or deleting files. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Information Disclosure Slurm +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In tbd of tbd, there is a possible memory corruption due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Buffer Overflow Privilege Escalation +1
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Windows Kernel Security Feature Bypass Vulnerability. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Race Condition Authentication Bypass Microsoft +7
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Information Disclosure Whatsapp
NVD
EPSS 0% CVSS 5.6
MEDIUM This Month

A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Information Disclosure Whatsapp
NVD
EPSS 0% CVSS 4.7
MEDIUM POC PATCH This Month

A flaw was found in the Netfilter subsystem of the Linux kernel. Rated medium severity (CVSS 4.7). Public exploit code available.

Race Condition Denial Of Service Linux +4
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A race condition was addressed with improved locking. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. No vendor patch available.

Race Condition Information Disclosure Apple +1
NVD
EPSS 0% CVSS 3.7
LOW Monitor

Vulnerability of mutex management in the bone voice ID trusted application (TA) module. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Information Disclosure Emui +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition RCE Openpmix +2
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

A race condition was addressed with improved state handling. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

Race Condition RCE Apple +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In camsys, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Denial Of Service Privilege Escalation +3
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In pda, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Denial Of Service Privilege Escalation +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In ims service, there is a possible memory corruption due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Buffer Overflow Privilege Escalation +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In update of MmsProvider.java, there is a possible way to bypass file permission checks due to a race condition. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Race Condition Denial Of Service Android
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In imgsys, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Denial Of Service Privilege Escalation +2
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

Race conditions in reference counting code were found through code inspection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Mozilla Information Disclosure +2
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Discourse is an open source discussion platform. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Discourse
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Linux +5
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Linux +6
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Race Condition Information Disclosure Linux +1
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

In startInput of AudioPolicyInterfaceImpl.cpp, there is a possible way of erroneously displaying the microphone privacy indicator due to a race condition. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Android
NVD
EPSS 99% CVSS 7.5
HIGH KEV PATCH THREAT This Week

Windows Search Remote Code Execution Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required.

Race Condition RCE Microsoft +12
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Windows Kernel Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Microsoft +11
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

ASP.NET and Visual Studio Security Feature Bypass Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition Authentication Bypass Net +2
NVD
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

A flaw was found in the subsequent get_user_pages_fast in the Linux kernel’s interface for symmetric key cipher algorithms in the skcipher_recvmsg of crypto/algif_skcipher.c function. Rated medium severity (CVSS 4.7).

Race Condition Denial Of Service Linux +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

A race condition exists in the Tang server functionality for key generation and key rotation. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. Public exploit code available.

Race Condition Information Disclosure Tang +2
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Linux +6
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Linux +7
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

In MADEFORNET HTTP Debugger through 9.12, the Windows service does not set the seclevel registry key before launching the driver. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Race Condition Information Disclosure Microsoft +1
NVD
EPSS 0% CVSS 3.1
LOW POC Monitor

The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Race Condition Information Disclosure WordPress +1
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

In display, there is a possible memory corruption due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Buffer Overflow Privilege Escalation +1
NVD
EPSS 0% CVSS 4.1
MEDIUM This Month

In installKey of KeyUtil.cpp, there is a possible failure of file encryption due to a race condition. Rated medium severity (CVSS 4.1). No vendor patch available.

Race Condition Information Disclosure Google +1
NVD
EPSS 1% CVSS 7.0
HIGH This Week

A race condition was addressed with improved state handling. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

Race Condition Information Disclosure Apple +5
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

An issue was discovered in the Linux kernel before 6.3.2. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Linux +5
NVD
EPSS 1% CVSS 7.0
HIGH PATCH This Week

An issue was discovered in the Linux kernel before 6.3.2. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Linux +6
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

An issue was discovered in the Linux kernel through 6.3.8. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Linux +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

An issue was discovered in the Linux kernel before 6.3.2. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Linux +6
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

An issue was discovered in the Linux kernel before 6.3.2. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Linux +2
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

An issue was discovered in the Linux kernel before 6.3.2. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Linux +2
NVD
EPSS 0% CVSS 7.0
HIGH This Week

In multiple functions of WVDrmPlugin.cpp, there is a possible use after free due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Privilege Escalation Denial Of Service +2
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

In canStartSystemGesture of RecentsAnimationDeviceState.java, there is a possible partial lockscreen bypass due to a race condition. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Privilege Escalation Google +1
NVD
EPSS 0% CVSS 4.1
MEDIUM This Month

In swpm, there is a possible out of bounds write due to a race condition. Rated medium severity (CVSS 4.1). No vendor patch available.

Race Condition Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In vcu, there is a possible out of bounds write due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Buffer Overflow Privilege Escalation +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Buffer Overflow Mozilla +3
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Race Condition Denial Of Service Riot
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Libarchive through 3.6.2 can cause directories to have world-writable permissions. Rated medium severity (CVSS 5.3). No vendor patch available.

Race Condition Information Disclosure Libarchive
NVD GitHub
EPSS 0% CVSS 3.3
LOW Monitor

The Gallery app has the risk of hijacking attacks. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Emui
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device. Rated medium severity (CVSS 6.4), this vulnerability is no authentication required.

Race Condition Qualcomm Linux +3
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Race Condition Denial Of Service Dav1D +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

This issue was addressed with improved state management. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition RCE Apple +4
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A race condition was addressed with improved locking. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. No vendor patch available.

Race Condition Apple Authentication Bypass +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Race Condition RCE Microsoft +15
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. Rated high severity (CVSS 7.0).

Race Condition RCE Linux +2
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM This Month

An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Denial Of Service Linux +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

A Race Condition exists in the Qualys Cloud Agent for Windows platform in versions from 3.1.3.34 and before 4.5.3.1. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Privilege Escalation Microsoft +1
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

@web3-react is a framework for building Ethereum Apps . Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Race Condition Node.js Information Disclosure +4
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

A Use After Free vulnerability in the Layer 2 Address Learning Manager (l2alm) of Juniper Networks Junos OS on QFX Series allows an adjacent attacker to cause the Packet Forwarding Engine to crash. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. No vendor patch available.

Race Condition Juniper Denial Of Service +1
NVD
EPSS 0% CVSS 7.0
HIGH POC This Week

PAX Technology PAX A920 Pro PayDroid 8.1suffers from a Race Condition vulnerability, which allows attackers to bypass the payment software and force the OS to boot directly to Android during the boot. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Race Condition Google Authentication Bypass +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required.

Race Condition RCE Microsoft +13
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In display drm, there is a possible double free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Privilege Escalation Android
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In display drm, there is a possible double free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Privilege Escalation Android
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In vdec, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Denial Of Service Privilege Escalation +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In vdec, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Denial Of Service Privilege Escalation +1
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Denial Of Service Linux +1
NVD
EPSS 0% CVSS 7.0
HIGH POC This Week

KDAB Hotspot 1.3.x and 1.4.x through 1.4.1, in a non-default configuration, allows privilege escalation because of race conditions involving symlinks and elevate_perf_privileges.sh chown calls. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Race Condition Privilege Escalation Hotspot
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

An issue was discovered in the Linux kernel through 6.2.0-rc2. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required.

Race Condition Information Disclosure Linux +1
NVD
EPSS 1% CVSS 6.8
MEDIUM POC PATCH This Month

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in GitHub repository answerdev/answer prior to 1.0.4. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

Race Condition Information Disclosure Answer
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Race Condition Path Traversal Lightftp
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Race Condition Information Disclosure Deno
NVD GitHub
EPSS 1% CVSS 4.2
MEDIUM PATCH This Month

efs-utils is a set of Utilities for Amazon Elastic File System (EFS). Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.

Race Condition Information Disclosure Elastic +2
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

A race condition can cause incorrect HTTP request routing. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Gobase
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

If two Workers were simultaneously initializing their CacheStorage, a data race could have occurred in the `ThirdPartyUtil` component. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition Information Disclosure Mozilla +1
NVD
Prev Page 11 of 21 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
1817

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy