CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')


The programm has a few types of code sequence: one is working with another code simultaniously, other - requires a special access to resource only for some time. That code sequence can be altered by another code sequence in temporal window.
Such changes has bad influence on security of the system, especially information about user's authentication and modifying of the code not to be changed by outliers.Code sequence can have different forms and depends on the context.
Usually race condition breaks 2 closely related features:
1. Exclusivity (a certain code sequence gives access to a certain resource and no other code sequence can alter those resource until original one finished its work).
2. Atomicity (every code sequence is atomic and is responsible only for its commands and processes).
A race condition has place if one code execution violates exclusivity of another code execution and tries to gain access to one of the resource. If some code execution isn't affected by another code execution, it's atomicity is violated.
Code execution, trying to break exclusivity or atomicity, is called interfering and is divided into "trusted" and "untrusted". First is working only within the programm and can't be changed by attackers, second - may be created by the offender and is used only externally.
The weakness allows attackers to overwrite some important user's data, bring the system to exhausting and even cause the program crash.
The vulnerability is introduced during Architecture and Design, Implementation stages.

Latest vulnerabilities for CWE-362


Description of CWE-362 on Mitre website