CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Also known as: Race Condition
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Last updated
Overview
A race condition occurs within concurrent environments, and it is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc. A race condition violates these properties, which are closely related: Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties of the shared resource before the original sequence has completed execution. Atomicity - the code sequence is behaviorally atomic, i.e., no other thread or process can concurrently execute the same sequence of instructions (or a subset) against the same resource. A race condition exists when an "interfering code sequence" can still access the shared resource, violating exclusivity. The interfering code sequence could be "trusted" or "untrusted." A trusted interfering code sequence occurs within the product; it cannot be modified by the attacker, and it can only be invoked indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the vulnerable product.
Real-world CVEs
785 recorded CVEs are caused by CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')), including 7 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 252 new CWE-362 CVEs have been recorded so far in 2026 (207 in 2025).
- CVE-2021-21166CISA KEVCritical · CVSS 9.0 · EPSS 98th2021-03-09
- CVE-2020-6820CISA KEVCritical · CVSS 9.0 · EPSS 93th2020-04-24
- CVE-2023-36884CISA KEV
Windows Search Remote Code Execution Vulnerability
High · CVSS 7.5 · EPSS 100th2023-07-11 - CVE-2022-26904CISA KEV
Windows User Profile Service Elevation of Privilege Vulnerability
High · CVSS 7.3 · EPSS 95th2022-04-15 - CVE-2014-0196CISA KEVHigh · CVSS 7.3 · EPSS 97th2014-05-07
- CVE-2021-25395CISA KEVHigh · CVSS 7.1 · EPSS 29th2021-06-11
- CVE-2016-5195CISA KEVHigh · CVSS 7.0 · EPSS 100th2016-11-10
- CVE-2026-0083Critical · CVSS 10.0 · EPSS 2th2026-06-17
- CVE-2026-0068Critical · CVSS 10.0 · EPSS 2th2026-06-17
- CVE-2025-66419
MaxKB vulnerable to privilege escalation through sandbox bypass
Critical · CVSS 10.0 · EPSS 20th2025-12-11 - CVE-2024-27102Critical · CVSS 10.0 · EPSS 42th2024-03-13
- CVE-2022-27626Critical · CVSS 10.0 · EPSS 58th2022-10-20
Showing 12 of 785 recorded CWE-362 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-362 vulnerabilitiesCommon consequences
What can happen when CWE-362 is exploited.
DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
Affects: Availability
When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion.
DoS: Crash, Exit, or Restart, DoS: Instability
Affects: Availability
When a race condition allows multiple control flows to access a resource simultaneously, it might lead the product(s) into unexpected states, possibly resulting in a crash.
Read Files or Directories, Read Application Data
Affects: Confidentiality, Integrity
When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).
Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism
Affects: Access Control
This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
Technologies
How to prevent it
Practical mitigations for CWE-362, grouped by where in the lifecycle they apply.
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Use thread-safe capabilities such as the data access abstraction in Spring.
Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
When using multithreading and operating on shared variables, only use thread-safe functions.
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
How to detect it
Black Box
Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.
White Box
Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).
Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.
Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.
Effectiveness: Moderate
Automated Static Analysis - Binary or Bytecode
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Dynamic Analysis with Automated Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Dynamic Analysis with Manual Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Manual Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Automated Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Architecture or Design Review
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.
Vulnerable example
$transfer_amount = GetTransferAmount();Attack input
In the following pseudocode, the attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account.The following function attempts to acquire a lock in order to perform operations on a shared resource.
Vulnerable example
void f(pthread_mutex_t *mutex) {Safe example
int f(pthread_mutex_t *mutex) {Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.
Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2024-38106CISA KEV— OS kernel stores sensitive data in improperly locked memory, allowing local users to gain privileges by winning a race condition
- CVE-2021-1782CISA KEV— Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV.
- CVE-2021-0920CISA KEV— Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
- CVE-2020-6819CISA KEV— Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
- CVE-2022-29527 — Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition.
- CVE-2019-18827 — chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys
- CVE-2019-1161 — Chain: race condition (CWE-362) in anti-malware product allows deletion of files by creating a junction (CWE-1386) and using hard links during the time window in which a temporary file is created and deleted.
- CVE-2015-1743 — TOCTOU in sandbox process allows installation of untrusted browser add-ons by replacing a file after it has been verified, but before it is executed
- CVE-2014-8273 — Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237].
- CVE-2008-5044 — Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time.
- CVE-2008-2958 — chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
- CVE-2008-1570 — chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
- CVE-2008-0058 — Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object.
- CVE-2008-0379 — Race condition during initialization triggers a buffer overflow.
- CVE-2007-6599 — Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock.
- CVE-2007-6180 — chain: race condition triggers NULL pointer dereference
- CVE-2007-5794 — Race condition in library function could cause data to be sent to the wrong process.
- CVE-2007-3970 — Race condition in file parser leads to heap corruption.
- CVE-2008-5021 — chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory.
- CVE-2009-4895 — chain: race condition for an argument value, possibly resulting in NULL dereference
- CVE-2009-3547 — Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
- CVE-2006-5051 — Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).
Terminology & mappings
Alternate terms
- Race Condition
Mapped taxonomies
- PLOVER: Race Conditions
- The CERT Oracle Secure Coding Standard for Java (2011): Do not assume that a group of calls to independently atomic methods is atomic (VNA03-J)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-362.
- What is CWE-362?
- The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
- What CVEs are caused by CWE-362?
- 785 recorded CVEs are attributed to CWE-362, including CVE-2021-21166, CVE-2020-6820, CVE-2023-36884. 7 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-362?
- In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
- How is CWE-362 detected?
- Black Box: Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.
- What are the consequences of CWE-362?
- Exploiting CWE-362 can lead to: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), DoS: Crash, Exit, or Restart, DoS: Instability, Read Files or Directories.
- Is CWE-362 actively exploited?
- Yes. 7 CWE-362 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 785 recorded CVEs.
References
- MITRE CWE definition (CWE-362) (opens in a new tab)
- CWE-362 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-362
Get alerted the moment a new CWE-362 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.