logo

Improper Preservation of Consistency Between Independent Representations of Shared State

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when a system with multiple independent components (like distributed services or separate hardware units) each maintain their own copy of shared data—such as user state, cache, or configuration—but the system fails to keep all these local copies synchronized and consistent with each other.

Extended Description

In modern distributed architectures—think cloud services, multiplayer games, or systems with parallel processing units—different components often need local snapshots of critical data to operate efficiently. However, if updates to this shared state aren't properly coordinated across all copies, each component starts working with different versions of the truth. This breakdown in synchronization is where the vulnerability takes root. When local representations drift apart, the system's behavior becomes unpredictable. Users might see outdated information, transactions can process in the wrong order, or security controls might fail because one component grants access based on stale data. Essentially, any mechanism that assumes all parts of the system share the same view of data—like authentication, inventory management, or game state—becomes unreliable and potentially exploitable.
Demonstrative Examples 1

ID : DX-132

Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.
Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario.
References 1
TaxDC: A Taxonomy of Non-Deterministic Concurrency Bugs in Datacenter Distributed Systems
Tanakorn Leesatapornwongsa, Jeffrey F. Lukman, Shan Lu, and Haryadi S. Gunawi
2016
https://ucare.cs.uchicago.edu/pdf/asplos16-TaxDC.pdf
ID: REF-1069
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Cloud Computing : UndeterminedSecurity Hardware : Undetermined
Related Weaknesses
ChildOf: Improper Control of a Resource Through its Lifetime (CWE-664)
Notes
Research GapIssues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.