1. Home
  2. CWE Database
  3. CWE-764
Base · Medium

CWE-764: Multiple Locks of a Critical Resource

The product locks a critical resource more times than intended, leading to an unexpected state in the system.

CWE-764 · Base Level ·1 Mitigations

Description

The product locks a critical resource more times than intended, leading to an unexpected state in the system.

When a product is operating in a concurrent environment and repeatedly locks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra locking calls will reduce the size of the total available pool, possibly leading to degraded performance or a denial of service. If this can be triggered by an attacker, it will be similar to an unrestricted lock (CWE-412). In the context of a binary lock, it is likely that any duplicate locking attempts will never succeed since the lock is already held and progress may not be possible.

Potential Impact

Availability, Integrity

DoS: Resource Consumption (CPU), DoS: Crash, Exit, or Restart, Unexpected State

Mitigations & Prevention

Implementation

When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the software acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-667: Improper Locking

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and ...

CWE-675: Multiple Operations on Resource in Single-Operation Context

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

CWE-662: Improper Synchronization

The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource ...

Taxonomy Mappings

  • Software Fault Patterns: SFP21 — Multiple locks/unlocks

Frequently Asked Questions

What is CWE-764?

CWE-764 (Multiple Locks of a Critical Resource) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product locks a critical resource more times than intended, leading to an unexpected state in the system.

How can CWE-764 be exploited?

Attackers can exploit CWE-764 (Multiple Locks of a Critical Resource) to dos: resource consumption (cpu), dos: crash, exit, or restart, unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-764?

Key mitigations include: When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the software a

What is the severity of CWE-764?

CWE-764 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.