Category: Comprehensive Categorization: Concurrency
Incomplete
Summary
Weaknesses in this category are related to concurrency.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1058 | Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element | The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element. |
| CWE-1088 | Synchronous Access of Remote Resource without Timeout | The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite. |
| CWE-1096 | Singleton Class Instance Creation without Proper Locking or Synchronization | The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once. |
| CWE-1223 | Race Condition for Write-Once Attributes | A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue. |
| CWE-1232 | Improper Lock Behavior After Power State Transition | Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable. |
| CWE-1234 | Hardware Internal or Debug Modes Allow Override of Locks | System configuration protection may be bypassed during debug mode. |
| CWE-1264 | Hardware Logic with Insecure De-Synchronization between Control and Data Channels | The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete. |
| CWE-1298 | Hardware Logic Contains Race Conditions | A race condition in the hardware logic results in undermining security guarantees of the system. |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
| CWE-363 | Race Condition Enabling Link Following | The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file. |
| CWE-364 | Signal Handler Race Condition | The product uses a signal handler that introduces a race condition. |
| CWE-366 | Race Condition within a Thread | If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
| CWE-368 | Context Switching Race Condition | A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch. |
| CWE-412 | Unrestricted Externally Accessible Lock | The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control. |
| CWE-413 | Improper Resource Locking | The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. |
| CWE-414 | Missing Lock Check | A product does not check to see if a lock is present before performing sensitive operations on a resource. |
| CWE-432 | Dangerous Signal Handler not Disabled During Sensitive Operations | The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running. |
| CWE-479 | Signal Handler Use of a Non-reentrant Function | The product defines a signal handler that calls a non-reentrant function. |
| CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context | The product uses the singleton pattern when creating a resource within a multithreaded environment. |
| CWE-558 | Use of getlogin() in Multithreaded Application | The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. |
| CWE-567 | Unsynchronized Access to Shared Data in a Multithreaded Context | The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. |
| CWE-572 | Call to Thread run() instead of start() | The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. |
| CWE-574 | EJB Bad Practices: Use of Synchronization Primitives | The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives. |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. |
| CWE-609 | Double-Checked Locking | The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. |
| CWE-663 | Use of a Non-reentrant Function in a Concurrent Context | The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state. |
| CWE-667 | Improper Locking | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
| CWE-689 | Permission Race Condition During Resource Copy | The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place. |
| CWE-764 | Multiple Locks of a Critical Resource | The product locks a critical resource more times than intended, leading to an unexpected state in the system. |
| CWE-765 | Multiple Unlocks of a Critical Resource | The product unlocks a critical resource more times than intended, leading to an unexpected state in the system. |
| CWE-820 | Missing Synchronization | The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. |
| CWE-821 | Incorrect Synchronization | The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource. |
| CWE-828 | Signal Handler with Functionality that is not Asynchronous-Safe | The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted. |
| CWE-831 | Signal Handler Function Associated with Multiple Signals | The product defines a function that is used as a handler for more than one signal. |
| CWE-832 | Unlock of a Resource that is not Locked | The product attempts to unlock a resource that is not locked. |
| CWE-833 | Deadlock | The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.