- What is CWE-367?
- The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
- What CVEs are caused by CWE-367?
- 498 recorded CVEs are attributed to CWE-367, including CVE-2025-22224, CVE-2025-38352, CVE-2024-30088. 5 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-367?
- The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
- How is CWE-367 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-367?
- Exploiting CWE-367 can lead to: Alter Execution Logic, Unexpected State, Modify Application Data, Modify Files or Directories, Modify Memory, Other.
- Is CWE-367 actively exploited?
- Yes. 5 CWE-367 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 498 recorded CVEs.