1. Home
  2. CWE Database
  3. CWE-368
Base · Medium

CWE-368: Context Switching Race Condition

A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the pr...

CWE-368 · Base Level ·4 CVEs

Description

A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.

This is commonly seen in web browser vulnerabilities in which the attacker can perform certain actions while the browser is transitioning from a trusted to an untrusted domain, or vice versa, and the browser performs the actions on one domain using the trust level and resources of the other domain.

Potential Impact

Integrity, Confidentiality

Modify Application Data, Read Application Data

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2009-1837Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416)
CVE-2004-2260Browser updates address bar as soon as user clicks on a link instead of when the page has loaded, allowing spoofing by redirecting to another page using onUnload method. ** this is one example of the
CVE-2004-0191XSS when web browser executes Javascript events in the context of a new page while it's being loaded, allowing interaction with previous page in different domain.
CVE-2004-2491Web browser fills in address bar of clicked-on link before page has been loaded, and doesn't update afterward.

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a ti...

CWE-364: Signal Handler Race Condition

The product uses a signal handler that introduces a race condition.

Taxonomy Mappings

  • PLOVER: — Context Switching Race Condition

Frequently Asked Questions

What is CWE-368?

CWE-368 (Context Switching Race Condition) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the pr...

How can CWE-368 be exploited?

Attackers can exploit CWE-368 (Context Switching Race Condition) to modify application data, read application data. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-368?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-368?

CWE-368 is classified as a Base-level weakness (Medium abstraction). It has been observed in 4 real-world CVEs.