CWE-366: Race Condition within a Thread

Description

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

Potential Impact

Integrity, Other

Alter Execution Logic, Unexpected State

Demonstrative Examples

The following example demonstrates the weakness.

Bad

int foo = 0;int storenum(int num) {static int counter = 0;counter++;if (num > foo) foo = num;return foo;}

Bad

public classRace {
                        static int foo = 0;public static void main() {
                              
                                 new Threader().start();foo = 1;
                           }public static class Threader extends Thread {
                              
                                 public void run() {System.out.println(foo);}
                           }
                     }

Mitigations & Prevention

Architecture and Design

Use locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment.

Architecture and Design

Create resource-locking validation checks. If no inherent locking mechanisms exist, use flags and signals to enforce your own blocking scheme when resources are being used by other threads of execution.

Detection Methods

Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2022-2621	Chain: two threads in a web browser use the same resource (CWE-366), but one of those threads can destroy the resource before the other has completed (CWE-416).

Taxonomy Mappings

CLASP: — Race condition within a thread
CERT C Secure Coding: CON32-C — Prevent data races when accessing bit-fields from multiple threads
CERT C Secure Coding: CON40-C — Do not refer to an atomic variable twice in an expression
CERT C Secure Coding: CON43-C — Do not allow data races in multithreaded code
The CERT Oracle Secure Coding Standard for Java (2011): VNA02-J — Ensure that compound operations on shared variables are atomic
The CERT Oracle Secure Coding Standard for Java (2011): VNA03-J — Do not assume that a group of calls to independently atomic methods is atomic
Software Fault Patterns: SFP19 — Missing Lock

Frequently Asked Questions

What is CWE-366?

CWE-366 (Race Condition within a Thread) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

How can CWE-366 be exploited?

Attackers can exploit CWE-366 (Race Condition within a Thread) to alter execution logic, unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-366?

Key mitigations include: Use locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment.

What is the severity of CWE-366?

CWE-366 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.