logo

Context Switching Race Condition

Draft Base
Structure: Simple
Description

This vulnerability occurs when an application switches between different security contexts (like privilege levels or domains) using a series of steps that can be interrupted. An attacker can exploit the timing gap during this switch to trick the application into performing actions with the wrong permissions or resources.

Extended Description

This flaw is a classic race condition that targets the brief window when an application is changing states, such as moving from a trusted admin area to a public user space. Because the switch isn't performed as a single, uninterruptible operation, an attacker can inject malicious actions that get executed with the privileges of the previous, more trusted context. In practice, this is frequently seen in web browsers. For example, if a user navigates from a secure banking site to an untrusted forum, there's a moment during the page transition where scripts might still run with the origin or permissions of the banking site. An attacker could exploit this to access sensitive data or perform unauthorized actions that should have been blocked after the context change.
Common Consequences 1
Scope: IntegrityConfidentiality

Impact: Modify Application DataRead Application Data
Observed Examples 4
CVE-2009-1837Chain: race condition (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) from improper handling of a page transition in web client while an applet is loading (Context Switching Race Condition) leads to use after free (Use After Free)
CVE-2004-2260Browser updates address bar as soon as user clicks on a link instead of when the page has loaded, allowing spoofing by redirecting to another page using onUnload method. ** this is one example of the role of "hooks" and context switches, and should be captured somehow - also a race condition of sorts **
CVE-2004-0191XSS when web browser executes Javascript events in the context of a new page while it's being loaded, allowing interaction with previous page in different domain.
CVE-2004-2491Web browser fills in address bar of clicked-on link before page has been loaded, and doesn't update afterward.
References 1
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
CanAlsoBe: Signal Handler Race Condition (CWE-364)
Taxonomy Mapping
  • PLOVER
Notes
RelationshipCan overlap signal handler race conditions.
Research GapUnder-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.