The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.

What CVEs are caused by CWE-413?

15 recorded CVEs are attributed to CWE-413, including CVE-2025-3450, CVE-2026-32748, CVE-2023-28649.

How do you prevent CWE-413?

Use a non-conflicting privilege scheme.

How is CWE-413 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-413?

Exploiting CWE-413 can lead to: Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart.

Is CWE-413 actively exploited?

15 recorded CVEs are caused by CWE-413; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-413: Improper Resource Locking

CVE-2022-20678

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following function attempts to acquire a lock in order to perform operations on a shared resource.

Vulnerable example

void f(pthread_mutex_t *mutex) {

Safe example

int f(pthread_mutex_t *mutex) {

This Java example shows a simple BankAccount class with deposit and withdraw methods.

Vulnerable example

java

public class BankAccount {

Safe example

java

public class BankAccount {

Safe example

java

public class BankAccount {

CWE-413: Improper Resource Locking

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-413?

What CVEs are caused by CWE-413?

How do you prevent CWE-413?

How is CWE-413 detected?

What are the consequences of CWE-413?

Is CWE-413 actively exploited?

References

Stay ahead of CWE-413

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-413?

What CVEs are caused by CWE-413?

How do you prevent CWE-413?

How is CWE-413 detected?

What are the consequences of CWE-413?

Is CWE-413 actively exploited?

References

Stay ahead of CWE-413