Skip to main content

Race Condition

web MEDIUM

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use).

How It Works

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use). An attacker sends nearly simultaneous requests to manipulate shared state before the application can enforce its business logic. For example, when redeeming a gift voucher, Request A checks the balance, Request B also checks while A is processing, then both complete successfully—redeeming the voucher twice.

Attackers use specialized techniques to achieve precise timing. HTTP/2's multiplexing allows 20-30 requests in a single TCP packet, arriving virtually simultaneously at the server. For HTTP/1.1, "last-byte synchronization" holds back the final byte of multiple requests, then releases them together. These methods reduce network jitter to microseconds, maximizing collision probability.

Advanced attacks include multi-endpoint collisions (hitting different API paths that share state), exploiting partial object construction (accessing resources before initialization completes), and single-endpoint confusion (causing a function to process stale state by overwhelming it with requests).

Impact

  • Financial fraud: Redeeming coupons multiple times, withdrawing beyond account balance, applying discounts repeatedly
  • Authentication bypass: Reusing CAPTCHA tokens, bypassing rate limits on login attempts, exploiting session validation gaps
  • Resource exhaustion: Claiming limited inventory multiple times, booking the same seat/room concurrently
  • Data corruption: Simultaneous writes creating inconsistent database states, inventory counts becoming negative
  • Access control violations: Exploiting privilege checks to access unauthorized resources during state transitions

Real-World Examples

In 2019, security researchers demonstrated race conditions in major e-commerce platforms allowing users to purchase items at massive discounts by applying the same promotional code dozens of times within milliseconds. The applications checked voucher validity but didn't atomically mark them as used.

TOCTOU vulnerabilities have been found in cryptocurrency exchanges where concurrent withdrawal requests could drain more funds than an account held. Attackers automated HTTP/2 packet timing to submit multiple withdrawal requests before the balance update propagated, essentially duplicating money.

File upload race conditions have enabled remote code execution when attackers upload malicious files and execute them before security scanners complete validation-the check happens, but the file runs before removal.

Mitigation

  • Database transactions with row-level locking: Wrap check-and-update logic in ACID transactions with SELECT FOR UPDATE
  • Idempotency keys: Require unique request identifiers; reject duplicates within a time window
  • Uniqueness constraints: Database-level UNIQUE constraints on critical fields (voucher redemptions, order IDs)
  • Atomic operations: Use database built-ins like DECREMENT with bounds checking, compare-and-swap primitives
  • Application-level mutexes: Distributed locks (Redis, memcached) around critical sections, ensuring single execution
  • Rate limiting per resource: Throttle requests per user AND per target resource (not just per IP)
  • Sequence validation: Check monotonically increasing counters or nonces to detect concurrent modification

Recent CVEs (1817)

EPSS 0% CVSS 7.2
HIGH This Week

Unity before 7.2.3 and 7.3.x before 7.3.1, as used in Ubuntu, does not properly take focus of the keyboard when switching to the lock screen, which allows physically proximate attackers to bypass the. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Race Condition Ubuntu Authentication Bypass +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors. Rated medium severity (CVSS 6.9). No vendor patch available.

Race Condition Information Disclosure Acpi Support +1
NVD
EPSS 75% 5.1 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 75.4%.

Race Condition Denial Of Service Buffer Overflow +8
NVD Exploit-DB
EPSS 1% CVSS 6.9
MEDIUM POC PATCH This Month

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows. Rated medium severity (CVSS 6.9). Public exploit code available.

Canonical Race Condition Denial Of Service +5
NVD Exploit-DB GitHub
EPSS 0% CVSS 1.9
LOW PATCH Monitor

Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users. Rated low severity (CVSS 1.9).

Information Disclosure Race Condition Linux +6
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM This Month

The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing. Rated medium severity (CVSS 4.0). No vendor patch available.

Denial Of Service Race Condition Linux +4
NVD
EPSS 49% 5.6 CVSS 5.5
MEDIUM POC KEV PATCH THREAT Act Now

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Denial Of Service Buffer Overflow Race Condition +1
NVD Exploit-DB GitHub VulDB
EPSS 1% CVSS 4.3
MEDIUM POC This Month

Core FTP Server 1.2 before build 515 allows remote attackers to cause a denial of service (reachable assertion and crash) via an AUTH SSL command with malformed data, as demonstrated by pressing the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Race Condition Denial Of Service Core Ftp
NVD VulDB
EPSS 3% CVSS 7.1
HIGH POC PATCH This Week

Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available.

Denial Of Service Race Condition Linux +4
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

A race condition in the wmi_malware_scan.nbin plugin before 201402262215 for Nessus 5.2.1 allows local users to gain privileges by replacing the dissolvable agent executable in the Windows temp. Rated medium severity (CVSS 6.9). No vendor patch available.

Race Condition Information Disclosure Microsoft +2
NVD VulDB
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable.

Denial Of Service Race Condition Linux +1
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Race Condition PostgreSQL
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable.

Denial Of Service Race Condition Linux +1
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Cisco Wireless LAN Controller (WLC) devices 7.4 before 7.4.110.0 distribute Aironet IOS software with a race condition in the status of the administrative HTTP server, which allows remote attackers. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Race Condition Apple +3
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

PHP Information Disclosure Race Condition +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Race condition in the cut-through proxy feature in Cisco Firewall Services Module (FWSM) Software 3.x before 3.2(28) and 4.x before 4.1(15) allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Race Condition Cisco +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

parcimonie before 0.8.1, when using a large keyring, sleeps for the same amount of time between fetches, which allows attackers to correlate key fetches via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Race Condition Parcimonie
NVD
EPSS 2% CVSS 9.3
CRITICAL PATCH Act Now

Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable.

Denial Of Service Mozilla Race Condition +13
NVD
EPSS 12% CVSS 3.3
LOW Monitor

Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Epss exploitation probability 11.7% and no vendor patch available.

Denial Of Service Race Condition Libvirt
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify. Rated medium severity (CVSS 6.8). No vendor patch available.

Denial Of Service Race Condition Libvirt
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Juniper Junos 10.4 before 10.4R16, 11.4 before 11.4R10, 12.1R before 12.1R8-S2, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, 12.1X46 before 12.1X46-D10, 12.2 before 12.2R7, 12.3 before. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Juniper Race Condition +1
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Race condition in the libreswan.spec files for Red Hat Enterprise Linux (RHEL) and Fedora packages in libreswan 3.6 has unspecified impact and attack vectors, involving the /var/tmp/libreswan-nss-pwd. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available.

Red Hat Information Disclosure Race Condition +1
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM POC PATCH This Month

Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via. Rated medium severity (CVSS 4.7). Public exploit code available.

Denial Of Service Linux Race Condition +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Race condition in sap_suse_cluster_connector before 1.0.0-0.8.1 in SUSE Linux Enterprise for SAP Applications 11 SP2 allows local users to have an unspecified impact via vectors related to a tmp/. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition SAP +1
NVD
EPSS 0% CVSS 1.9
LOW Monitor

Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive. Rated low severity (CVSS 1.9). No vendor patch available.

Information Disclosure Race Condition Luci +1
NVD
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, relies on. Rated medium severity (CVSS 6.9). Public exploit code available.

Google Denial Of Service Linux +4
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Multiple race conditions in the Phone app in Apple iOS before 7.0.3 allow physically proximate attackers to bypass the locked state, and dial the telephone numbers in arbitrary Contacts entries, by. Rated low severity (CVSS 3.3). No vendor patch available.

Race Condition Apple Authentication Bypass +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Race condition in the HTTP Deep Packet Inspection (DPI) feature in Cisco Adaptive Security Appliance (ASA) Software 8.2.x before 8.2(5.46), 8.3.x before 8.3(2.39), 8.4.x before 8.4(5.5), 8.5.x before. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Java Race Condition +2
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race. Rated medium severity (CVSS 6.9).

Race Condition Authentication Bypass Systemd +2
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity.

Race Condition Authentication Bypass Opensuse +3
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Multiple race conditions in the Web Audio implementation in Blink, as used in Google Chrome before 30.0.1599.66, allow remote attackers to cause a denial of service or possibly have unspecified other. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Google Denial Of Service Race Condition +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Race condition in the IPv6 virtual fragmentation reassembly (VFR) implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.3 allows remote attackers to cause a denial of service (device. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Race Condition Apple +2
NVD
EPSS 0% CVSS 3.7
LOW POC Monitor

Passcode Lock in Apple iOS before 7 does not properly manage the lock state, which allows physically proximate attackers to bypass an intended passcode requirement by leveraging a race condition. Rated low severity (CVSS 3.7). Public exploit code available and no vendor patch available.

Race Condition Apple Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 4.9
MEDIUM POC This Month

Multiple race conditions in HtmlCleaner before 2.6, as used in Open-Xchange AppSuite 7.2.2 before rev13 and other products, allow remote authenticated users to read the private e-mail of other. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Information Disclosure Race Condition Htmlcleaner +1
NVD
EPSS 0% CVSS 1.9
LOW POC Monitor

Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions. Rated low severity (CVSS 1.9). Public exploit code available and no vendor patch available.

Debian Information Disclosure Race Condition +2
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

A certain Red Hat patch to the KVM subsystem in the kernel package before 2.6.32-358.11.1.el6 on Red Hat Enterprise Linux (RHEL) 6 does not properly implement the PV EOI feature, which allows guest. Rated medium severity (CVSS 5.7). No vendor patch available.

Red Hat Denial Of Service Race Condition +1
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Race condition in the workers implementation in Google Chrome before 27.0.1453.93 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Google Denial Of Service Race Condition +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Race condition in the smb_send_rqst function in fs/cifs/transport.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly. Rated medium severity (CVSS 4.4). No vendor patch available.

Denial Of Service Linux Race Condition +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Race condition in the CIFS implementation in the rewriter module in the Clientless SSL VPN component on Cisco Adaptive Security Appliances (ASA) devices allows remote authenticated users to cause a. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Race Condition Cisco +3
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Race condition on Cisco Adaptive Security Appliances (ASA) devices allows remote attackers to cause a denial of service (CPU consumption or device reload) by establishing multiple connections,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Race Condition Cisco +3
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Race condition in the kernel in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows. Rated high severity (CVSS 7.0). No vendor patch available.

Information Disclosure Race Condition Microsoft +8
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Race Condition Microsoft +6
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Race condition in the kernel in Microsoft Windows 8, Windows Server 2012, and Windows RT allows local users to gain privileges via a crafted application that leverages improper handling of objects in. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +3
NVD
EPSS 1% CVSS 6.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and. Rated medium severity (CVSS 6.9). No vendor patch available.

Information Disclosure Race Condition Microsoft +8
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Race condition in the VRF-aware NAT feature in Cisco IOS 12.2 through 12.4 and 15.0 through 15.2 allows remote attackers to cause a denial of service (memory consumption) via IPv4 packets, aka Bug. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Race Condition Apple +2
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and. Rated medium severity (CVSS 4.7). No vendor patch available.

Denial Of Service Linux Race Condition +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

manifests/base.pp in the puppetlabs-cinder module, as used in PackStack, uses world-readable permissions for the (1) cinder.conf and (2) api-paste.ini configuration files, which allows local users to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Race condition in Google Chrome before 25.0.1364.152 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of media. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Denial Of Service Race Condition +1
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Race condition in the International Components for Unicode (ICU) functionality in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Google Denial Of Service Race Condition +3
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Race condition in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service or possibly have unspecified other. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Google Denial Of Service Race Condition +3
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by. Rated medium severity (CVSS 6.9). No vendor patch available.

Linux Race Condition Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Race condition in the kernel in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Race condition in the kernel in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated high severity (CVSS 7.0). No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated high severity (CVSS 7.0). No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated high severity (CVSS 7.0). No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Race Condition Microsoft +5
NVD
EPSS 0% CVSS 1.2
LOW Monitor

ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD. Rated low severity (CVSS 1.2). No vendor patch available.

Information Disclosure Race Condition Proftpd
NVD
EPSS 0% CVSS 1.9
LOW PATCH Monitor

Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as. Rated low severity (CVSS 1.9).

Linux Race Condition Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM This Month

Race condition in Pepper, as used in Google Chrome before 23.0.1271.64, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to buffers. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Google Denial Of Service Race Condition +1
NVD
EPSS 12% CVSS 5.1
MEDIUM POC THREAT This Month

Race condition in WebKit in Apple iOS before 6.0.1 and Safari before 6.0.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 11.8%.

Denial Of Service Race Condition Apple +3
NVD Exploit-DB
EPSS 6% CVSS 9.3
CRITICAL Act Now

Race condition in Google Chrome before 22.0.1229.92 allows remote attackers to execute arbitrary code via vectors related to audio devices. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Google Race Condition RCE +1
NVD
EPSS 0% CVSS 6.2
MEDIUM POC PATCH This Month

Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors. Rated medium severity (CVSS 6.2). Public exploit code available.

Denial Of Service Linux Race Condition +1
NVD GitHub
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Denial Of Service Linux Race Condition +2
NVD GitHub
Prev Page 20 of 21 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
1817

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy