Category: Concurrency Issues
Draft
Summary
Weaknesses in this category are related to concurrent use of shared resources.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1058 | Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element | This happens when a method or function, designed to run in a multi-threaded environment, accesses or modifies a non-final static variable or class member. Because the static element is not final, its state can be changed unexpectedly by concurrent threads, leading to race conditions and unpredictable behavior. |
| CWE-1322 | Use of Blocking Code in Single-threaded, Non-blocking Context | This vulnerability occurs when an application designed to be single-threaded and non-blocking, for performance and scalability, inadvertently executes code that can block the entire process. If an attacker can trigger this blocking code, it can cause the application to freeze, leading to a denial of service. |
| CWE-364 | Signal Handler Race Condition | A signal handler race condition occurs when a program's signal handling routine is vulnerable to timing issues, allowing its state to be corrupted through asynchronous execution. |
| CWE-366 | Race Condition within a Thread | This vulnerability occurs when two or more threads within the same application access and manipulate a shared resource (like a variable, data structure, or file) without proper synchronization. Because the threads can execute in an unpredictable order, they can corrupt the resource's state, leading to crashes, incorrect calculations, or data loss. |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | This vulnerability occurs when a program verifies a resource's state (like a file's permissions or existence) but then uses it after that state has already changed. The gap between checking and using creates a race window where an attacker can manipulate the resource, causing the program to operate on invalid or malicious data. |
| CWE-368 | Context Switching Race Condition | This vulnerability occurs when an application switches between different security contexts (like privilege levels or domains) using a series of steps that can be interrupted. An attacker can exploit the timing gap during this switch to trick the application into performing actions with the wrong permissions or resources. |
| CWE-386 | Symbolic Name not Mapping to Correct Object | This vulnerability occurs when a program uses a fixed symbolic name (like a constant or identifier) to refer to an object, but that name can later point to a different, unintended object during execution. |
| CWE-421 | Race Condition During Access to Alternate Channel | A race condition occurs when an application opens a secondary communication channel intended for an authorized user, but fails to secure it, allowing other actors to potentially access it first. |
| CWE-663 | Use of a Non-reentrant Function in a Concurrent Context | This vulnerability occurs when a program uses a function that is not safe for reentrancy within a concurrent environment, such as multi-threaded code or signal handlers. If another thread or signal handler interrupts and calls the same function, it can corrupt shared data, cause crashes, or create unpredictable behavior. |
| CWE-820 | Missing Synchronization | This vulnerability occurs when multiple parts of your application (like threads or processes) use the same resource—such as a variable, file, or data structure—without proper coordination to control who accesses it and when. |
| CWE-821 | Incorrect Synchronization | This vulnerability occurs when multiple parts of a program, such as threads or processes, access a shared resource like a variable, file, or data structure without proper coordination, leading to a race condition. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.