Skip to main content

Race Condition

web MEDIUM

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use).

How It Works

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use). An attacker sends nearly simultaneous requests to manipulate shared state before the application can enforce its business logic. For example, when redeeming a gift voucher, Request A checks the balance, Request B also checks while A is processing, then both complete successfully—redeeming the voucher twice.

Attackers use specialized techniques to achieve precise timing. HTTP/2's multiplexing allows 20-30 requests in a single TCP packet, arriving virtually simultaneously at the server. For HTTP/1.1, "last-byte synchronization" holds back the final byte of multiple requests, then releases them together. These methods reduce network jitter to microseconds, maximizing collision probability.

Advanced attacks include multi-endpoint collisions (hitting different API paths that share state), exploiting partial object construction (accessing resources before initialization completes), and single-endpoint confusion (causing a function to process stale state by overwhelming it with requests).

Impact

  • Financial fraud: Redeeming coupons multiple times, withdrawing beyond account balance, applying discounts repeatedly
  • Authentication bypass: Reusing CAPTCHA tokens, bypassing rate limits on login attempts, exploiting session validation gaps
  • Resource exhaustion: Claiming limited inventory multiple times, booking the same seat/room concurrently
  • Data corruption: Simultaneous writes creating inconsistent database states, inventory counts becoming negative
  • Access control violations: Exploiting privilege checks to access unauthorized resources during state transitions

Real-World Examples

In 2019, security researchers demonstrated race conditions in major e-commerce platforms allowing users to purchase items at massive discounts by applying the same promotional code dozens of times within milliseconds. The applications checked voucher validity but didn't atomically mark them as used.

TOCTOU vulnerabilities have been found in cryptocurrency exchanges where concurrent withdrawal requests could drain more funds than an account held. Attackers automated HTTP/2 packet timing to submit multiple withdrawal requests before the balance update propagated, essentially duplicating money.

File upload race conditions have enabled remote code execution when attackers upload malicious files and execute them before security scanners complete validation-the check happens, but the file runs before removal.

Mitigation

  • Database transactions with row-level locking: Wrap check-and-update logic in ACID transactions with SELECT FOR UPDATE
  • Idempotency keys: Require unique request identifiers; reject duplicates within a time window
  • Uniqueness constraints: Database-level UNIQUE constraints on critical fields (voucher redemptions, order IDs)
  • Atomic operations: Use database built-ins like DECREMENT with bounds checking, compare-and-swap primitives
  • Application-level mutexes: Distributed locks (Redis, memcached) around critical sections, ensuring single execution
  • Rate limiting per resource: Throttle requests per user AND per target resource (not just per IP)
  • Sequence validation: Check monotonically increasing counters or nonces to detect concurrent modification

Recent CVEs (1817)

EPSS 0% CVSS 6.4
MEDIUM This Month

In st21nfc_loc_set_polaritymode of fc/st21nfc.c, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Google Race Condition Denial Of Service +2
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

In stealReceiveChannel of EventThread.cpp, there is a possible way to interfere with process communication due to a race condition. Rated high severity (CVSS 7.0).

Google Race Condition Privilege Escalation +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Race Condition Google +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Race Condition RCE +10
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Windows Hyper-V Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8). No vendor patch available.

Microsoft Race Condition RCE +7
NVD
EPSS 1% CVSS 8.3
HIGH This Week

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Race Condition Google +2
NVD
EPSS 2% CVSS 8.1
HIGH POC This Week

An issue was discovered in bgpd in FRRouting (FRR) 8.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Race Condition Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

In video codec, there is a possible memory corruption due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Privilege Escalation Buffer Overflow +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In audio ipi, there is a possible memory corruption due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Race Condition Privilege Escalation Buffer Overflow +1
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 103.0.5060.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Information Disclosure Microsoft +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop 17.1.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Race Condition RCE Parallels Desktop
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Windows DNS Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition RCE Microsoft +3
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Windows Connected Devices Platform Service Information Disclosure Vulnerability. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Microsoft Information Disclosure +5
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Windows Group Policy Elevation of Privilege Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition Microsoft Information Disclosure +10
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

PHP Race Condition RCE +1
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

In MDP, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Privilege Escalation Race Condition Denial Of Service +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

In TEEI driver, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Race Condition Denial Of Service +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

In TEEI driver, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Race Condition Denial Of Service +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

In TEEI driver, there is a possible type confusion due to a race condition. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Race Condition Android
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

In GED driver, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Race Condition Denial Of Service +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

In GPU, there is a possible use after free due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.

Privilege Escalation Race Condition Denial Of Service +1
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Information Disclosure Dradis
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. Rated high severity (CVSS 7.0). No vendor patch available.

Privilege Escalation Race Condition Apache +2
NVD
EPSS 2% CVSS 8.5
HIGH PATCH This Week

Windows Hyper-V Remote Code Execution Vulnerability. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable.

Race Condition RCE Microsoft +9
NVD
EPSS 0% CVSS 7.0
HIGH This Week

In ipu_core_jqs_msg_transport_kernel_write_sync of ipu-core-jqs-msg-transport.c, there is a possible use-after-free due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.

Google Race Condition Privilege Escalation +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In lock_sock_nested of sock.c, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Google Race Condition Privilege Escalation +2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In TBD of TBD, there is a possible use-after-free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Google Race Condition Privilege Escalation +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. Rated high severity (CVSS 7.0). No vendor patch available.

Google Race Condition Privilege Escalation +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use after free in graphics fence due to a race condition while closing fence file descriptor and destroy graphics timeline simultaneously in Snapdragon Auto, Snapdragon Compute, Snapdragon. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Denial Of Service Race Condition Qualcomm +80
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

The kernel module has the race condition vulnerability. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Information Disclosure Emui +2
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. Rated medium severity (CVSS 6.4).

Race Condition Information Disclosure Xen +2
NVD
EPSS 0% CVSS 6.3
MEDIUM POC This Month

An out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. Rated medium severity (CVSS 6.3). Public exploit code available and no vendor patch available.

Race Condition Linux Buffer Overflow +3
NVD
EPSS 2% CVSS 8.3
HIGH PATCH This Week

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required.

Google Race Condition Microsoft +2
NVD
EPSS 2% CVSS 8.3
HIGH PATCH This Week

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required.

Google Race Condition Microsoft +2
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A race condition was addressed with improved state handling. Rated medium severity (CVSS 4.7). No vendor patch available.

Authentication Bypass Race Condition Apple +5
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A race condition was addressed with improved locking. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition RCE Apple +4
NVD
EPSS 2% CVSS 4.7
MEDIUM This Month

Description: A race condition was addressed with additional validation. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. No vendor patch available.

Race Condition Apple Information Disclosure +1
NVD
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

Windows Kernel Information Disclosure Vulnerability. Rated medium severity (CVSS 4.7).

Race Condition Microsoft Information Disclosure +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Digital Media Receiver Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8).

Race Condition Microsoft Information Disclosure +4
NVD
EPSS 0% CVSS 7.0
HIGH This Week

In ion_ioctl and related functions of ion.c, there is a possible use after free due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.

Google Race Condition Privilege Escalation +2
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

In startActivityForAttachedApplicationIfNeeded of RootWindowContainer.java, there is a possible way to overlay an app that believes it's still in the foreground, when it is not, due to a race. Rated high severity (CVSS 7.0), this vulnerability is no authentication required.

Google Race Condition Privilege Escalation +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

In several functions of KeyguardServiceWrapper.java and related files,, there is a possible way to briefly view what's under the lockscreen due to a race condition. Rated high severity (CVSS 7.0). No vendor patch available.

Google Race Condition Privilege Escalation +2
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

In aee daemon, there is a possible information disclosure due to a race condition. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Information Disclosure Android
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In aee driver, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Privilege Escalation Race Condition Denial Of Service +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In aee driver, there is a possible use after free due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Privilege Escalation Race Condition Denial Of Service +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Race Condition Linux +2
NVD
EPSS 1% CVSS 7.0
HIGH POC PATCH This Week

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. Rated high severity (CVSS 7.0). Public exploit code available.

Race Condition Linux Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC PATCH This Week

Amazon AWS amazon-ssm-agent before 3.1.1208.0 creates a world-writable sudoers file, which allows local attackers to inject Sudo rules and escalate privileges to root. Rated high severity (CVSS 7.0). Public exploit code available.

Privilege Escalation Race Condition Amazon Ssm Agent
NVD GitHub
EPSS 10% CVSS 7.0
HIGH POC KEV PATCH THREAT Act Now

Windows User Profile Service Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0).

Race Condition Microsoft Information Disclosure +17
NVD
EPSS 2% CVSS 6.6
MEDIUM This Month

Windows DNS Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition RCE Microsoft +5
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Windows Bluetooth Driver Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +4
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Windows File Server Resource Management Service Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +10
NVD
EPSS 2% CVSS 6.6
MEDIUM This Month

Windows DNS Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition RCE Microsoft +5
NVD
EPSS 2% CVSS 6.6
MEDIUM This Month

Windows DNS Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition RCE Microsoft +5
NVD
EPSS 2% CVSS 6.6
MEDIUM This Month

Windows DNS Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition RCE Microsoft +5
NVD
EPSS 2% CVSS 6.6
MEDIUM This Month

Windows DNS Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition RCE Microsoft +5
NVD
EPSS 2% CVSS 6.6
MEDIUM This Month

Windows DNS Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition RCE Microsoft +4
NVD
EPSS 2% CVSS 6.6
MEDIUM This Month

Windows DNS Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition RCE Microsoft +4
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Windows File Explorer Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +8
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Windows Work Folder Service Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +10
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Windows ALPC Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +10
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Windows Hyper-V Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8). No vendor patch available.

Race Condition RCE Microsoft +6
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Windows ALPC Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +5
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Windows Hyper-V Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8). No vendor patch available.

Race Condition RCE Microsoft +7
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A vulnerability has been identified in SCALANCE W1788-1 M12 (All versions < V3.0.0), SCALANCE W1788-2 EEC M12 (All versions < V3.0.0), SCALANCE W1788-2 M12 (All versions < V3.0.0), SCALANCE W1788-2IA. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required.

Denial Of Service Race Condition Siemens +4
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In SUB2AF, there is a possible memory corruption due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Privilege Escalation Race Condition Buffer Overflow +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In vow, there is a possible memory corruption due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Privilege Escalation Race Condition Buffer Overflow +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

In vow, there is a possible memory corruption due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.

Privilege Escalation Race Condition Buffer Overflow +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition. Rated high severity (CVSS 7.0).

Race Condition Linux Information Disclosure +15
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. Rated high severity (CVSS 7.0).

Race Condition Information Disclosure Xen +2
NVD
EPSS 2% CVSS 5.9
MEDIUM POC PATCH This Month

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Race Condition Information Disclosure Paramiko +2
NVD GitHub
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Zulip is an open source group chat application. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Zulip
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several. Rated high severity (CVSS 7.0). No vendor patch available.

Denial Of Service Race Condition Xen +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several. Rated high severity (CVSS 7.0). No vendor patch available.

Denial Of Service Race Condition Xen +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several. Rated high severity (CVSS 7.0). No vendor patch available.

Denial Of Service Race Condition Xen +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several. Rated high severity (CVSS 7.0). No vendor patch available.

Denial Of Service Race Condition Xen +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several. Rated high severity (CVSS 7.0). No vendor patch available.

Denial Of Service Race Condition Xen +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several. Rated high severity (CVSS 7.0). No vendor patch available.

Denial Of Service Race Condition Xen +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several. Rated high severity (CVSS 7.0). No vendor patch available.

Denial Of Service Race Condition Xen +1
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

An use after free vulnerability in sdp driver prior to SMR Mar-2022 Release 1 allows kernel crash. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Race Condition Android
NVD
EPSS 11% CVSS 8.1
HIGH POC THREAT Act Now

Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 11.0%.

Privilege Escalation Race Condition Printix
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Windows Update Stack Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +3
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Windows ALPC Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +6
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Windows ALPC Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +10
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Windows Hyper-V Denial of Service Vulnerability. Rated medium severity (CVSS 4.7). No vendor patch available.

Denial Of Service Race Condition Microsoft +6
NVD
EPSS 0% CVSS 7.8
HIGH This Week

KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Race Condition Kcron
NVD
EPSS 0% CVSS 3.1
LOW POC Monitor

The AnyComment WordPress plugin before 0.2.18 is affected by a race condition when liking/disliking a comment/reply, which could allow any authenticated user to quickly raise their rating or lower. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Race Condition WordPress Information Disclosure +1
NVD WPScan
EPSS 1% CVSS 8.1
HIGH PATCH This Week

An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Buffer Overflow Race Condition Tokio
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

An issue was discovered in the metrics-util crate before 0.7.0 for Rust. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Race Condition Metrics Util
NVD
EPSS 1% CVSS 7.0
HIGH POC This Week

A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Linux Information Disclosure Race Condition +12
NVD GitHub
Prev Page 13 of 21 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
1817

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy