Skip to main content

Race Condition

web MEDIUM

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use).

How It Works

Race conditions occur when multiple concurrent requests exploit the brief time gap between checking a condition and acting upon it (TOCTOU - Time of Check, Time of Use). An attacker sends nearly simultaneous requests to manipulate shared state before the application can enforce its business logic. For example, when redeeming a gift voucher, Request A checks the balance, Request B also checks while A is processing, then both complete successfully—redeeming the voucher twice.

Attackers use specialized techniques to achieve precise timing. HTTP/2's multiplexing allows 20-30 requests in a single TCP packet, arriving virtually simultaneously at the server. For HTTP/1.1, "last-byte synchronization" holds back the final byte of multiple requests, then releases them together. These methods reduce network jitter to microseconds, maximizing collision probability.

Advanced attacks include multi-endpoint collisions (hitting different API paths that share state), exploiting partial object construction (accessing resources before initialization completes), and single-endpoint confusion (causing a function to process stale state by overwhelming it with requests).

Impact

  • Financial fraud: Redeeming coupons multiple times, withdrawing beyond account balance, applying discounts repeatedly
  • Authentication bypass: Reusing CAPTCHA tokens, bypassing rate limits on login attempts, exploiting session validation gaps
  • Resource exhaustion: Claiming limited inventory multiple times, booking the same seat/room concurrently
  • Data corruption: Simultaneous writes creating inconsistent database states, inventory counts becoming negative
  • Access control violations: Exploiting privilege checks to access unauthorized resources during state transitions

Real-World Examples

In 2019, security researchers demonstrated race conditions in major e-commerce platforms allowing users to purchase items at massive discounts by applying the same promotional code dozens of times within milliseconds. The applications checked voucher validity but didn't atomically mark them as used.

TOCTOU vulnerabilities have been found in cryptocurrency exchanges where concurrent withdrawal requests could drain more funds than an account held. Attackers automated HTTP/2 packet timing to submit multiple withdrawal requests before the balance update propagated, essentially duplicating money.

File upload race conditions have enabled remote code execution when attackers upload malicious files and execute them before security scanners complete validation-the check happens, but the file runs before removal.

Mitigation

  • Database transactions with row-level locking: Wrap check-and-update logic in ACID transactions with SELECT FOR UPDATE
  • Idempotency keys: Require unique request identifiers; reject duplicates within a time window
  • Uniqueness constraints: Database-level UNIQUE constraints on critical fields (voucher redemptions, order IDs)
  • Atomic operations: Use database built-ins like DECREMENT with bounds checking, compare-and-swap primitives
  • Application-level mutexes: Distributed locks (Redis, memcached) around critical sections, ensuring single execution
  • Rate limiting per resource: Throttle requests per user AND per target resource (not just per IP)
  • Sequence validation: Check monotonically increasing counters or nonces to detect concurrent modification

Recent CVEs (1815)

EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Arbitrary code execution with Administrator privileges in Rufus versions 4.11 and below due to a race condition in PowerShell script handling within the %TEMP% directory. A local attacker can replace the legitimate Fido script with malicious code between file creation and execution, since Rufus runs elevated but writes to a world-writable location without file locking. Public exploit code exists for this vulnerability, which is fixed in version 4.12_BETA.

Race Condition Rufus
NVD GitHub
EPSS 0% CVSS 3.5
LOW Monitor

Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. [CVSS 3.5 LOW]

Denial Of Service Race Condition Powerscale Onefs
NVD
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. [CVSS 4.8 MEDIUM]

Race Condition Turbo
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

R Automation Runtime versions up to 6.5 is affected by allocation of resources without limits or throttling (CVSS 6.8).

Race Condition
NVD
EPSS 0%
PATCH Monitor

testable and extendable modules out of your GraphQL server. From 2.2.1 to versions up to 2.4.1 is affected by race condition.

Race Condition
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

A race condition in Juniper Junos OS on MX10k Series with LC480 or LC2101 line cards allows low-privileged local users to crash line card and potentially chassis daemons by repeatedly executing the 'show system firmware' command. Affected versions include all releases before 21.2R3-S10 and multiple later branches up to 23.2R, with no patch currently available. This denial of service vulnerability requires local access and can be triggered without elevated privileges.

Juniper Denial Of Service Race Condition +1
NVD
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Heap use-after-free in FreeRDP versions before 3.20.1 stems from unsynchronized access to serial channel thread tracking structures, allowing remote attackers to trigger memory corruption and achieve code execution. The vulnerability affects systems using vulnerable FreeRDP versions for remote desktop connections and has public exploit code available. No patch is currently available, requiring users to upgrade to version 3.20.1 or later.

Race Condition Freerdp Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

FreeRDP versions prior to 3.20.1 contain a race condition between the RDPGFX virtual channel and SDL rendering threads that enables heap use-after-free when graphics are reset. Public exploit code exists for this vulnerability, allowing attackers to crash the application or potentially execute code in industrial control systems and other environments using vulnerable FreeRDP implementations. A patch is not currently available, leaving affected systems exposed until an update is released.

Industrial Use After Free Race Condition +3
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

Outray versions up to 0.1.5 contains a vulnerability that allows attackers to exceed the set number of active tunnels in their subscription plan (CVSS 3.7).

Race Condition Outray
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.8 MEDIUM]

Race Condition Harmonyos
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.1 MEDIUM]

Race Condition Harmonyos
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.1 MEDIUM]

Race Condition Harmonyos
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Multi-thread race condition vulnerability in the video framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.4 HIGH]

Race Condition Harmonyos
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.0 HIGH]

Race Condition Harmonyos
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.4 HIGH]

Race Condition Harmonyos
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.0 HIGH]

Race Condition Harmonyos
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 8.0 HIGH]

Race Condition Harmonyos
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Windows 11 and Windows Server 2025 Capability Access Management Service results from a race condition in resource synchronization, enabling authenticated local users to gain elevated system privileges. The vulnerability affects multiple recent Windows versions (24h2 and 25h2) and currently lacks a patch. No public exploit code has been disclosed, though the attack requires local access and moderate complexity to execute.

Race Condition Windows 11 24h2 Windows 11 25h2 +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Windows SMB Server (Server 2025, Windows 11 24H2, Windows 10 22H2) stems from improper synchronization of shared resources during concurrent execution, enabling authenticated network attackers to gain elevated privileges. The vulnerability requires high complexity exploitation but carries high impact across confidentiality, integrity, and availability. No patch is currently available.

Windows Race Condition Windows Server 2025 +13
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Windows SMB Server denial of service via race condition affects Windows 10 21h2, Windows 11 24h2, and Windows Server 2022, allowing authenticated attackers to disrupt service availability through improper synchronization of shared resources. The vulnerability requires network access and specific conditions to trigger but carries no patch availability at this time. Impact is limited to availability with no confidentiality or integrity compromise.

Windows Race Condition Windows Server 2022 +14
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Windows SMB Server (versions 10 22h2, 11 23h2, and 11 25h2) stems from improper synchronization of shared resources, allowing authenticated network attackers to elevate privileges. The race condition vulnerability requires specific timing conditions but carries high impact across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 +13
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Windows SMB Server (2022, 2025) stems from improper synchronization of concurrent resource access, enabling authenticated network attackers to gain elevated privileges. The vulnerability requires specific conditions to trigger but provides high-impact unauthorized access when successfully exploited. No patch is currently available for affected systems.

Race Condition Microsoft Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Windows SMB Server contains a race condition in concurrent resource handling that enables authenticated network attackers to escalate privileges on affected systems including Windows 10 22H2, Windows 10 1607, and Windows Server 2025. The vulnerability requires low attack complexity and network access from an authenticated user, but carries high impact across confidentiality, integrity, and availability. No patch is currently available for this HIGH severity issue (CVSS 7.5).

Windows Race Condition Windows 10 22h2 +13
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Management Services on Windows 10 and 11 contains a race condition in shared resource synchronization that enables authenticated local users to escalate privileges to system level. The vulnerability affects multiple Windows versions including 22h2, 21h2, and 25h2 builds, with no patch currently available.

Windows Race Condition Windows 11 25h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services on Windows 10 and 11 stems from improper synchronization of shared resources, enabling local authenticated attackers to gain elevated privileges. The race condition can be exploited without user interaction and impacts confidentiality, integrity, and availability across system boundaries. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services (Windows 10/11) stems from improper synchronization of shared resources, allowing authenticated local users to gain elevated privileges through race condition exploitation. The vulnerability affects multiple Windows versions including 22H2 and 24H2 builds, with no patch currently available. An attacker with valid credentials can leverage this flaw to escalate from a standard user account to system-level access.

Windows Race Condition Windows 10 22h2 +10
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in Windows Local Session Manager (LSM) across Windows 11 23h2, Windows Server 2012, and 2019 stems from improper synchronization in shared resource handling, enabling authenticated attackers to elevate privileges on affected systems. The vulnerability requires local access and specific timing conditions to exploit, with no patch currently available. This affects systems running the impacted Windows and Server editions where authenticated users may achieve system-level privileges.

Windows Race Condition Windows 11 23h2 +14
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Windows Management Services affects Windows Server 2019, Windows 11 24h2, and Windows Server 2025 through improper synchronization of shared resources, enabling authenticated users to gain elevated system privileges. The vulnerability exploits a race condition that an attacker can trigger without user interaction, though no patch is currently available.

Windows Race Condition Windows Server 2019 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Management Services on Windows 10 and Windows Server 2019 contains a race condition in shared resource synchronization that enables local privilege escalation for authenticated users. An attacker with local access can exploit improper locking mechanisms to gain elevated system privileges. No patch is currently available for this vulnerability.

Windows Race Condition Windows Server 2019 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Management Services on Windows 10 and Windows Server 2022 contain a race condition in shared resource handling that permits authenticated local attackers to escalate privileges to system level. The vulnerability stems from improper synchronization during concurrent operations and affects multiple Windows versions including Windows 10 22H2 and 1809. No patch is currently available for this high-severity issue (CVSS 7.8).

Windows Race Condition Windows Server 2022 +10
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Windows WalletService contains a race condition that permits local privilege escalation on Windows 10 and Windows 11 systems. An unauthenticated attacker with local access can exploit improper synchronization of shared resources to gain elevated privileges. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 +7
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation via race condition in Windows SMB Server affects Windows 10 21h2, Windows 11 25h2, and Windows Server 2022 23h2, allowing authenticated attackers to gain elevated privileges over the network. The vulnerability stems from improper synchronization when handling concurrent access to shared resources, and no patch is currently available. With a CVSS score of 7.5, this poses a significant risk to organizations using affected Windows versions.

Windows Race Condition Windows 10 21h2 +13
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in the Graphics Kernel on Windows 11 and Linux systems results from improper synchronization of concurrent access to shared resources, allowing authenticated local attackers to gain elevated privileges. The vulnerability requires specific timing conditions to exploit but impacts multiple Windows versions and Linux distributions. No patch is currently available for this race condition vulnerability.

Linux Industrial Race Condition +13
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock contains a race condition that enables local privilege escalation on affected Windows systems including Server 2008, Server 2019, and Windows 10 22H2. An authenticated attacker can exploit this timing vulnerability to gain elevated privileges with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Windows Race Condition Windows Server 2008 +14
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Windows Server 2025 Capability Access Management Service stems from improper synchronization of shared resources, enabling authenticated local users to gain elevated privileges. The race condition requires specific timing conditions but no patch is currently available, leaving affected systems vulnerable to privilege escalation attacks by authorized local users.

Race Condition Windows Server 2025 Microsoft
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Tablet UI (TWINUI) subsystem on Windows 10, Windows Server 2022, and Windows Server 2025 stems from improper synchronization of shared resources, enabling authenticated local attackers to gain elevated privileges. The race condition vulnerability affects multiple Windows versions and currently has no available patch.

Windows Race Condition Windows Server 2022 23h2 +12
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Installer contains a time-of-check time-of-use race condition that allows authenticated local attackers to escalate privileges on Windows 10 1809, Windows 11 25h2, and Windows Server 2022 23h2. An attacker with local access can exploit the window between permission validation and file operation execution to gain elevated system access. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 25h2 +14
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Windows 11 and Windows Server 2025 Capability Access Management Service stems from improper synchronization of shared resources, enabling a local authenticated attacker to gain elevated privileges. The vulnerability exploits a race condition that can be triggered without user interaction, though successful exploitation requires specific timing and system conditions. No patch is currently available for this high-severity issue.

Race Condition Windows 11 25h2 Windows 11 24h2 +2
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in the Graphics Kernel affects Linux, Windows Server 2016, and Windows 10 1607 through a race condition in shared resource synchronization. A local authenticated attacker can exploit this vulnerability to gain elevated privileges on the affected system. No patch is currently available for this vulnerability.

Linux Industrial Race Condition +13
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Kernel Memory affects Windows 10 21h2 and Windows Server 2022 23h2, exploitable by local authenticated users through a race condition between permission checks and memory access. An attacker with local access can leverage this window to gain elevated system privileges. No patch is currently available.

Linux Windows Race Condition +14
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Windows Printer Association Object affects Windows 11 and Windows Server 2022/2025 through a race condition in shared resource access. An authenticated local attacker can exploit improper synchronization to gain elevated system privileges. No patch is currently available for this vulnerability.

Race Condition Windows Server 2025 Windows 11 25h2 +3
NVD
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object.

Linux Information Disclosure Race Condition +3
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`.

Linux Race Condition Linux Kernel
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad.

Linux Use After Free Race Condition +1
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1.

Linux Use After Free Race Condition +1
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating compression context during writeback Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 Call Trace: <TASK> f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 do_writepages+0x38e/0x640 mm/page-writeback.c:2634 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 generic_write_sync include/linux/fs.h:3043 [inline] f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x7e9/0xe00 fs/read_write.c:686 ksys_write+0x19d/0x2d0 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The bug was triggered w/ below race condition: fsync setattr ioctl - f2fs_do_sync_file - file_write_and_wait_range - f2fs_write_cache_pages : inode is non-compressed : cc.cluster_size = F2FS_I(inode)->i_cluster_size = 0 - tag_pages_for_writeback - f2fs_setattr - truncate_setsize - f2fs_truncate - f2fs_fileattr_set - f2fs_setflags_common - set_compress_context : F2FS_I(inode)->i_cluster_size = 4 : set_inode_flag(inode, FI_COMPRESSED_FILE) - f2fs_compressed_file : return true - f2fs_all_cluster_page_ready : "pgidx % cc->cluster_size" trigger dividing 0 issue Let's change as below to fix this issue: - introduce a new atomic type variable .writeback in structure f2fs_inode_info to track the number of threads which calling f2fs_write_cache_pages().

Linux Race Condition Linux Kernel
NVD VulDB
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

Virtualenv versions up to 20.36.1 is affected by improper link resolution before file access (CVSS 4.5).

Python Race Condition Virtualenv +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Python's filelock SoftFileLock implementation prior to version 3.20.3 contains a TOCTOU race condition that allows local attackers with symlink creation privileges to interfere with lock file operations between permission validation and file creation. An attacker can exploit this window to create a symlink at the target lock path, causing lock operations to fail or redirect to unintended files, resulting in denial of service or unexpected behavior. Upgrade to filelock version 3.20.3 or later to remediate this vulnerability.

Python Denial Of Service Race Condition +3
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Concurrent requests in axios4go prior to version 0.6.4 trigger unsynchronized mutations to the shared HTTP client configuration, allowing attackers to manipulate transport settings, timeouts, and redirect handlers across simultaneous operations. Applications using async requests or multiple goroutines with different proxy configurations or handling sensitive credentials are vulnerable to request interception, credential leakage, or denial of service. Upgrade to version 0.6.4 or later to resolve this race condition.

Golang Race Condition Axios4go
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

In seninf, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]

Privilege Escalation Race Condition Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]

Use After Free Privilege Escalation Race Condition +2
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service. [CVSS 5.9 MEDIUM]

Samsung Denial Of Service Race Condition +6
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service. [CVSS 5.1 MEDIUM]

Samsung Denial Of Service Race Condition +6
NVD
EPSS 0% CVSS 2.9
LOW POC Monitor

A vulnerability has been found in PHPEMS up to 11.0. This impacts an unknown function of the component Purchase Request Handler. The manipulation leads to race condition. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used.

Information Disclosure Race Condition Phpems
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC Monitor

Race condition in PHPEMS Coupon Handler component up to version 11.0 allows authenticated remote attackers to manipulate coupon processing logic, potentially resulting in integrity compromise. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation despite publicly available proof-of-concept code. EPSS score of 0.04% indicates low real-world exploitation probability despite public POC availability.

Information Disclosure Race Condition Phpems
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

OpenCart versions up to 4.1.0.3 are vulnerable to a race condition in the Single-Use Coupon Handler component that allows remote attackers to perform unauthorized manipulation resulting in information disclosure. The attack requires high complexity and no authentication, with a CVSS score of 2.9 indicating low impact. Publicly available exploit code exists, though the vendor did not respond to early disclosure notification.

Information Disclosure Race Condition Opencart
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW Monitor

Safari and Apple operating systems contain a race condition that crashes the rendering process when processing maliciously crafted web content, affecting Safari 26.2 and earlier, iOS 18.7.3 and earlier, iPadOS 18.7.3 and earlier, macOS Tahoe 26.2 and earlier, tvOS 26.2 and earlier, visionOS 26.2 and earlier, and watchOS 26.2 and earlier. The vulnerability requires user interaction (clicking a malicious link or visiting a hostile website) and has high attack complexity, resulting in denial of service through process crash rather than data compromise. No public exploit code has been identified, EPSS exploitation probability is very low at 0.12%, and Apple has released patched versions across all affected platforms.

Apple Safari iOS +8
NVD
EPSS 0% CVSS 7.0
HIGH This Week

In multiple locations of UsbDataAdvancedProtectionHook.java, there is a possible way to access USB data when the screen is off due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Race Condition Android +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

In multiple locations, there is a possible intent filter bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Race Condition Android +1
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Multi-thread race condition vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect availability.

Information Disclosure Race Condition Harmonyos
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Race condition vulnerability in the network module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Information Disclosure Race Condition Harmonyos
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability.

Information Disclosure Race Condition Harmonyos
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability.

Information Disclosure Race Condition Harmonyos
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability.

Information Disclosure Race Condition Harmonyos
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Google Information Disclosure Race Condition +5
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833.

Denial Of Service Race Condition Openwrt +3
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Denial of service (DoS) vulnerability in the office service. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Race Condition Microsoft +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

DoS vulnerability in the video-related system service module. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Harmonyos
NVD
EPSS 0% CVSS 8.4
HIGH This Week

UAF vulnerability in the screen recording framework module. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Harmonyos
NVD
EPSS 0% CVSS 7.1
HIGH This Month

An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition Information Disclosure
NVD
EPSS 0% CVSS 9.4
CRITICAL PATCH This Week

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Authentication Bypass Jersey
NVD
EPSS 0% CVSS 7.5
HIGH POC This Month

Inappropriate implementation in DevTools in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Google Race Condition Information Disclosure +2
NVD
EPSS 0% CVSS 1.8
LOW PATCH Monitor

Wasmtime is a runtime for WebAssembly. Rated low severity (CVSS 1.8). No vendor patch available.

Race Condition Information Disclosure
NVD GitHub
EPSS 0%
Monitor

Linux kernel F2FS filesystem implementation contains a race condition between garbage collection and block allocation that causes segment type inconsistencies, leading to filesystem shutdown. The vulnerability affects systems using F2FS with pinned files during concurrent fallocate and writepage operations. While the EPSS score is low at 0.03%, this is a kernel-level denial of service affecting data availability on affected systems.

Linux Linux Kernel Denial Of Service +1
NVD
EPSS 0%
Monitor

Linux kernel block I/O throttling subsystem crashes with a NULL pointer dereference when I/O operations are submitted during early initialization before throttle policy is fully activated, causing denial of service on affected systems. The vulnerability affects the block layer's throttle policy initialization sequence and is triggered sporadically on cold boots when blk_should_throtl() accesses uninitialized throttle group state. With an EPSS score of 0.03% (10th percentile) and no public exploit identified, this is a low-probability but high-impact local crash condition requiring a kernel patch to fully resolve.

Linux Linux Kernel Null Pointer Dereference +2
NVD
EPSS 0% CVSS 7.0
HIGH This Month

Double free in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +7
NVD
EPSS 0% CVSS 7.0
HIGH This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +7
NVD
EPSS 0% CVSS 7.0
HIGH This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +15
NVD
EPSS 1% CVSS 7.0
HIGH POC KEV THREAT Act Now

Windows Kernel contains a race condition vulnerability enabling local privilege escalation through concurrent resource access with improper synchronization.

Race Condition Microsoft Information Disclosure +11
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to deny service over a network. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition Microsoft Information Disclosure +11
NVD
EPSS 0% CVSS 7.0
HIGH This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +13
NVD
EPSS 0% CVSS 7.0
HIGH This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +13
NVD
EPSS 0% CVSS 7.0
HIGH This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.

Race Condition Microsoft Information Disclosure +14
NVD
EPSS 0% CVSS 2.7
LOW Monitor

In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Race Condition Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Race condition in the Graphics component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Race Condition Mozilla
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH Monitor

Race in Storage in Google Chrome on Windows prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Race Condition Microsoft +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Month

Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Race Condition Information Disclosure +3
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Hub
NVD
EPSS 0% CVSS 2.7
LOW Monitor

In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Race Condition Authentication Bypass Hub
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A race condition was addressed with improved state handling. Rated medium severity (CVSS 4.7). No vendor patch available.

Apple Race Condition Information Disclosure
NVD
Prev Page 5 of 21 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
1815

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy