Skip to main content

Race Condition

web MEDIUM

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use).

How It Works

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use). An attacker sends nearly simultaneous requests to manipulate shared state before the application can enforce its business logic. For example, when redeeming a gift voucher, Request A checks the balance, Request B also checks while A is processing, then both complete successfully—redeeming the voucher twice.

Attackers use specialized techniques to achieve precise timing. HTTP/2's multiplexing allows 20-30 requests in a single TCP packet, arriving virtually simultaneously at the server. For HTTP/1.1, "last-byte synchronization" holds back the final byte of multiple requests, then releases them together. These methods reduce network jitter to microseconds, maximizing collision probability.

Advanced attacks include multi-endpoint collisions (hitting different API paths that share state), exploiting partial object construction (accessing resources before initialization completes), and single-endpoint confusion (causing a function to process stale state by overwhelming it with requests).

Impact

  • Financial fraud: Redeeming coupons multiple times, withdrawing beyond account balance, applying discounts repeatedly
  • Authentication bypass: Reusing CAPTCHA tokens, bypassing rate limits on login attempts, exploiting session validation gaps
  • Resource exhaustion: Claiming limited inventory multiple times, booking the same seat/room concurrently
  • Data corruption: Simultaneous writes creating inconsistent database states, inventory counts becoming negative
  • Access control violations: Exploiting privilege checks to access unauthorized resources during state transitions

Real-World Examples

In 2019, security researchers demonstrated race conditions in major e-commerce platforms allowing users to purchase items at massive discounts by applying the same promotional code dozens of times within milliseconds. The applications checked voucher validity but didn't atomically mark them as used.

TOCTOU vulnerabilities have been found in cryptocurrency exchanges where concurrent withdrawal requests could drain more funds than an account held. Attackers automated HTTP/2 packet timing to submit multiple withdrawal requests before the balance update propagated, essentially duplicating money.

File upload race conditions have enabled remote code execution when attackers upload malicious files and execute them before security scanners complete validation-the check happens, but the file runs before removal.

Mitigation

  • Database transactions with row-level locking: Wrap check-and-update logic in ACID transactions with SELECT FOR UPDATE
  • Idempotency keys: Require unique request identifiers; reject duplicates within a time window
  • Uniqueness constraints: Database-level UNIQUE constraints on critical fields (voucher redemptions, order IDs)
  • Atomic operations: Use database built-ins like DECREMENT with bounds checking, compare-and-swap primitives
  • Application-level mutexes: Distributed locks (Redis, memcached) around critical sections, ensuring single execution
  • Rate limiting per resource: Throttle requests per user AND per target resource (not just per IP)
  • Sequence validation: Check monotonically increasing counters or nonces to detect concurrent modification

Recent CVEs (1817)

EPSS 0% CVSS 1.2
LOW PATCH Monitor

scripts/annotate-output.sh in devscripts before 2.12.2, as used in rpmdevtools before 8.3, allows local users to modify arbitrary files via a symlink attack on the temporary (1) standard output or. Rated low severity (CVSS 1.2).

Information Disclosure Race Condition Devscripts
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Race condition in Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the plug-in paint buffer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Denial Of Service Race Condition +2
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Race condition in Google Chrome before 21.0.1180.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving improper interaction between. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Google Denial Of Service Race Condition +2
NVD
EPSS 0% CVSS 1.2
LOW Monitor

Race condition in Tunnelblick 3.3beta20 and earlier allows local users to kill unintended processes by waiting for a specific PID value to be assigned to a target process. Rated low severity (CVSS 1.2). No vendor patch available.

Information Disclosure Race Condition Tunnelblick
NVD
EPSS 1% CVSS 6.2
MEDIUM POC This Month

Race condition in the runScript function in Tunnelblick 3.3beta20 and earlier allows local users to gain privileges by replacing a script file. Rated medium severity (CVSS 6.2). Public exploit code available and no vendor patch available.

Information Disclosure Race Condition Tunnelblick
NVD Exploit-DB
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

The Linux kernel before 3.4.5 on the x86 platform, when Physical Address Extension (PAE) is enabled, does not properly use the Page Middle Directory (PMD), which allows local users to cause a denial. Rated medium severity (CVSS 4.0).

Denial Of Service Linux Race Condition +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Cisco IOS 15.0 and 15.1 on Catalyst 3560 and 3750 series switches allows remote authenticated users to cause a denial of service (device reload) by completing local web authentication quickly, aka. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Race Condition Apple +10
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

Race condition in the ns_client structure management in ISC BIND 9.9.x before 9.9.1-P2 allows remote attackers to cause a denial of service (memory consumption or process exit) via a large volume of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Race Condition Bind
NVD
EPSS 0% CVSS 1.9
LOW POC Monitor

The user_change_icon_file_authorized_cb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache. Rated low severity (CVSS 1.9). Public exploit code available and no vendor patch available.

Information Disclosure Race Condition Accountsservice
NVD
EPSS 0% CVSS 3.3
LOW POC Monitor

The rm_rf_children function in util.c in the systemd-logind login manager in systemd before 44, when logging out, allows local users to delete arbitrary files via a symlink attack on unspecified. Rated low severity (CVSS 3.3). Public exploit code available and no vendor patch available.

Information Disclosure Race Condition Systemd
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cisco Application Control Engine (ACE) before A4(2.3) and A5 before A5(1.1), when multicontext mode is enabled, does not properly share a management IP address among multiple contexts, which allows. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition Authentication Bypass Cisco +1
NVD
EPSS 1% CVSS 6.9
MEDIUM This Month

Race condition in the thread-creation implementation in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3 allows local users to gain privileges via a crafted application, aka. Rated medium severity (CVSS 6.9). No vendor patch available.

Information Disclosure Race Condition Microsoft +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Race condition in LoginUIFramework in Apple Mac OS X 10.7.x before 10.7.4, when the Guest account is enabled, allows physically proximate attackers to login to arbitrary accounts by entering the. Rated medium severity (CVSS 6.9). No vendor patch available.

Information Disclosure Race Condition Apple +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Race condition in the initialization routine in blued in Bluetooth in Apple Mac OS X before 10.7.4 allows local users to gain privileges via vectors involving a temporary file. Rated medium severity (CVSS 6.9). No vendor patch available.

Information Disclosure Race Condition Apple +2
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Race condition in the Zone-Based Firewall in Cisco IOS 15.1 and 15.2, when IPS policies are configured, allows remote attackers to cause a denial of service (device crash) by sending IPv6 packets,. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Race Condition Apple +2
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Race condition in the Passcode Lock feature in Apple iOS before 5.1 allows physically proximate attackers to bypass intended passcode requirements via a slide-to-dial gesture. Rated medium severity (CVSS 6.9). No vendor patch available.

Race Condition Apple Authentication Bypass +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Qt6 WebEngine (qt6-qtwebengine) on Alpine Linux has been patched in package version 6.10.1-r7, addressing an unspecified vulnerability. The nature, severity, and exploitability of the underlying flaw are not disclosed in available intelligence - no CVE description, CVSS score, CWE classification, or vendor advisory narrative has been published at time of analysis. Alpine Linux is the sole reporting source, and the fix is confirmed present in the Alpine package repository at version 6.10.1-r7.

Information Disclosure Race Condition
NVD VulDB
Prev Page 21 of 21

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
1817

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy