CWE-366: Race Condition within a Thread

Description

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

Extended Description

N/A

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-2022-2621

Chain: two threads in a web browser use the same resource (CWE-366), but one of those threads can destroy the resource before the other has completed (CWE-416).

Related Attack Patterns (CAPEC)

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Alter Execution Logic, Unexpected State — Notes: The main problem is that -- if a lock is overcome -- data could be altered in a bad state.

Potential Mitigations

Architecture and Design: Use locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment. (N/A)
Architecture and Design: Create resource-locking validation checks. If no inherent locking mechanisms exist, use flags and signals to enforce your own blocking scheme when resources are being used by other threads of execution. (N/A)

Applicable Platforms

C (N/A, Undetermined)
C++ (N/A, Undetermined)
Java (N/A, Undetermined)
C# (N/A, Undetermined)

Demonstrative Examples

Intro: The following example demonstrates the weakness.

int foo = 0; int storenum(int num) { static int counter = 0; counter++; if (num > foo) foo = num; return foo; }

Notes

No notes available.

← Back to CWE list