CWE-662: Improper Synchronization
The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
Last updated
Overview
Synchronization refers to a variety of behaviors and mechanisms that allow two or more independently-operating processes or threads to ensure that they operate on shared resources in predictable ways that do not interfere with each other. Some shared resource operations cannot be executed atomically; that is, multiple steps must be guaranteed to execute sequentially, without any interference by other processes. Synchronization mechanisms vary widely, but they may include locking, mutexes, and semaphores. When a multi-step operation on a shared resource cannot be guaranteed to execute independent of interference, then the resulting behavior can be unpredictable. Improper synchronization could lead to data or memory corruption, denial of service, etc.
Real-world CVEs
15 recorded CVEs are caused by CWE-662 (Improper Synchronization). The highest-severity and most recent are shown first. 1 new CWE-662 CVE has been recorded so far in 2026 (2 in 2025).
- CVE-2024-32644Critical · CVSS 9.1 · EPSS 57th2024-04-19
- CVE-2024-7409
Qemu: denial of service via improper synchronization in qemu nbd server during socket closure
High · CVSS 7.5 · EPSS 60th2024-08-05 - CVE-2023-20625Medium · CVSS 6.4 · EPSS 0th2023-03-07
- CVE-2023-20607Medium · CVSS 6.4 · EPSS 1th2023-02-06
- CVE-2022-32642Medium · CVSS 6.4 · EPSS 3th2023-02-06
- CVE-2023-20611Medium · CVSS 6.4 · EPSS 1th2023-02-06
- CVE-2023-20610Medium · CVSS 6.4 · EPSS 1th2023-02-06
- CVE-2022-32643Medium · CVSS 6.4 · EPSS 5th2023-02-06
- CVE-2022-32648Medium · CVSS 6.4 · EPSS 2th2023-01-03
- CVE-2022-32644Medium · CVSS 6.4 · EPSS 2th2023-01-03
- CVE-2022-32609Medium · CVSS 6.4 · EPSS 2th2022-11-08
- CVE-2022-32610Medium · CVSS 6.4 · EPSS 2th2022-11-08
Showing 12 of 15 recorded CWE-662 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-662 vulnerabilitiesCommon consequences
What can happen when CWE-662 is exploited.
Modify Application Data, Read Application Data, Alter Execution Logic
Affects: Integrity, Confidentiality, Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-662, grouped by where in the lifecycle they apply.
Use industry standard APIs to synchronize your code.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following function attempts to acquire a lock in order to perform operations on a shared resource.
Vulnerable example
void f(pthread_mutex_t *mutex) {Safe example
int f(pthread_mutex_t *mutex) {The following code intends to fork a process, then have both the parent and child processes print a single line.
Vulnerable example
static void print (char * string) {Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-1782CISA KEV— Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV.
- CVE-2009-0935 — Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
Terminology & mappings
Mapped taxonomies
- CERT C Secure Coding: Mask signals handled by noninterruptible signal handlers (SIG00-C)
- CERT C Secure Coding: Do not access shared objects in signal handlers (SIG31-C) — CWE More Abstract fit
- CLASP: State synchronization error
- The CERT Oracle Secure Coding Standard for Java (2011): Do not assume that a group of calls to independently atomic methods is atomic (VNA03-J)
- Software Fault Patterns: Missing Lock (SFP19)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-662.
- What is CWE-662?
- The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
- What CVEs are caused by CWE-662?
- 15 recorded CVEs are attributed to CWE-662, including CVE-2024-32644, CVE-2024-7409, CVE-2023-20625.
- How do you prevent CWE-662?
- Use industry standard APIs to synchronize your code.
- How is CWE-662 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-662?
- Exploiting CWE-662 can lead to: Modify Application Data, Read Application Data, Alter Execution Logic.
- Is CWE-662 actively exploited?
- 15 recorded CVEs are caused by CWE-662; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-662) (opens in a new tab)
- CWE-662 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-662
Get alerted the moment a new CWE-662 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.