Base weakness

Draft

CWE-368: Context Switching Race Condition

A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.

Last updated May 1, 2026

5

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

This is commonly seen in web browser vulnerabilities in which the attacker can perform certain actions while the browser is transitioning from a trusted to an untrusted domain, or vice versa, and the browser performs the actions on one domain using the trust level and resources of the other domain.

Real-world CVEs

5 recorded CVEs are caused by CWE-368 (Context Switching Race Condition). The highest-severity and most recent are shown first.

CVE-2024-34731

High · CVSS 7.7 · EPSS 6th

2024-08-15

CVE-2020-8834

Linux kernel KVM Power8 conflicting use of HSTATE_HOST_R1

Medium · CVSS 6.5 · EPSS 26th

2020-04-09

Common consequences

What can happen when CWE-368 is exploited.

Modify Application Data, Read Application Data

Affects: Integrity, Confidentiality

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2009-1837 — Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416)
CVE-2004-2260 — Browser updates address bar as soon as user clicks on a link instead of when the page has loaded, allowing spoofing by redirecting to another page using onUnload method. ** this is one example of the role of "hooks" and context switches, and should be captured somehow - also a race condition of sorts **
CVE-2004-0191 — XSS when web browser executes Javascript events in the context of a new page while it's being loaded, allowing interaction with previous page in different domain.
CVE-2004-2491 — Web browser fills in address bar of clicked-on link before page has been loaded, and doesn't update afterward.

Terminology & mappings

Mapped taxonomies

PLOVER: Context Switching Race Condition

Attack patterns

CAPEC attack patterns that exploit this weakness.

Frequently asked questions

Common questions about CWE-368.

What is CWE-368?

A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.

What CVEs are caused by CWE-368?

5 recorded CVEs are attributed to CWE-368, including CVE-2022-21806, CVE-2021-21941, CVE-2021-32025.

How is CWE-368 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-368?

Exploiting CWE-368 can lead to: Modify Application Data, Read Application Data.

Is CWE-368 actively exploited?

5 recorded CVEs are caused by CWE-368; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-368

Get alerted the moment a new CWE-368 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing