CWE-609: Double-Checked Locking
The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.
Last updated
Overview
Double-checked locking refers to the situation where a programmer checks to see if a resource has been initialized, grabs a lock, checks again to see if the resource has been initialized, and then performs the initialization if it has not occurred yet. This should not be done, as it is not guaranteed to work in all languages and on all architectures. In summary, other threads may not be operating inside the synchronous block and are not guaranteed to see the operations execute in the same order as they would appear inside the synchronous block.
Common consequences
What can happen when CWE-609 is exploited.
Modify Application Data, Alter Execution Logic
Affects: Integrity, Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-609, grouped by where in the lifecycle they apply.
While double-checked locking can be achieved in some languages, it is inherently flawed in Java before 1.5, and cannot be achieved without compromising platform independence. Before Java 1.5, only use of the synchronized keyword is known to work. Beginning in Java 1.5, use of the "volatile" keyword allows double-checked locking to work successfully, although there is some debate as to whether it achieves sufficient performance gains. See references.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
It may seem that the following bit of code achieves thread safety while avoiding unnecessary synchronization...
Vulnerable example
if (helper == null) {Vulnerable example
helper = new Helper();Terminology & mappings
Mapped taxonomies
- The CERT Oracle Secure Coding Standard for Java (2011): Do not use incorrect forms of the double-checked locking idiom (LCK10-J)
- Software Fault Patterns: Missing Lock (SFP19)
Frequently asked questions
Common questions about CWE-609.
- What is CWE-609?
- The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.
- How do you prevent CWE-609?
- While double-checked locking can be achieved in some languages, it is inherently flawed in Java before 1.5, and cannot be achieved without compromising platform independence. Before Java 1.5, only use of the synchronized keyword is known to work. Beginning in Java 1.5, use of the "volatile" keyword allows double-checked locking to work successfully, although there is some debate as to whether it achieves sufficient performance gains. See references.
- How is CWE-609 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-609?
- Exploiting CWE-609 can lead to: Modify Application Data, Alter Execution Logic.
References
- MITRE CWE definition (CWE-609) (opens in a new tab)
- CWE-609 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-609
Get alerted the moment a new CWE-609 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.