Category: SFP Secondary Cluster: Race Condition Window
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | A race condition occurs when multiple processes or threads access a shared resource simultaneously without proper coordination, creating a timing window where the resource's state can be unexpectedly altered, leading to unpredictable behavior or security vulnerabilities. |
| CWE-363 | Race Condition Enabling Link Following | This vulnerability occurs when a program checks a file's status before using it, creating a brief window where an attacker can replace that file with a malicious link. This causes the program to follow the link and access an unintended, potentially dangerous location. |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | This vulnerability occurs when a program verifies a resource's state (like a file's permissions or existence) but then uses it after that state has already changed. The gap between checking and using creates a race window where an attacker can manipulate the resource, causing the program to operate on invalid or malicious data. |
| CWE-370 | Missing Check for Certificate Revocation after Initial Check | This vulnerability occurs when software only verifies a certificate's revocation status once, then continues to trust it for subsequent privileged actions without re-checking. This allows operations to proceed even if the certificate is revoked later. |
| CWE-638 | Not Using Complete Mediation | This vulnerability occurs when software fails to verify access permissions every single time a user or process tries to use a resource. Instead, it might rely on a single, outdated check, creating a security gap if the user's privileges are later revoked or changed. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.