Description
The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
Potential Impact
Availability
DoS: Resource Consumption (CPU), DoS: Resource Consumption (Other), DoS: Crash, Exit, or Restart
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-1999-1476 | A bug in some Intel Pentium processors allow DoS (hang) via an invalid "CMPXCHG8B" instruction, causing a deadlock |
| CVE-2009-2857 | OS deadlock |
| CVE-2009-1961 | OS deadlock involving 3 separate functions |
| CVE-2009-2699 | deadlock in library |
| CVE-2009-4272 | deadlock triggered by packets that force collisions in a routing table |
| CVE-2002-1850 | read/write deadlock between web server and script |
| CVE-2004-0174 | web server deadlock involving multiple listening connections |
| CVE-2009-1388 | multiple simultaneous calls to the same function trigger deadlock. |
| CVE-2006-5158 | chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833). |
| CVE-2006-4342 | deadlock when an operation is performed on a resource while it is being removed. |
| CVE-2006-2374 | Deadlock in device driver triggered by using file handle of a related device. |
| CVE-2006-2275 | Deadlock when large number of small messages cannot be processed quickly enough. |
| CVE-2005-3847 | OS kernel has deadlock triggered by a signal during a core dump. |
| CVE-2005-3106 | Race condition leads to deadlock. |
| CVE-2005-2456 | Chain: array index error (CWE-129) leads to deadlock (CWE-833) |
Related Weaknesses
Taxonomy Mappings
- The CERT Oracle Secure Coding Standard for Java (2011): LCK08-J — Ensure actively held locks are released on exceptional conditions
Frequently Asked Questions
What is CWE-833?
CWE-833 (Deadlock) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
How can CWE-833 be exploited?
Attackers can exploit CWE-833 (Deadlock) to dos: resource consumption (cpu), dos: resource consumption (other), dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-833?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-833?
CWE-833 is classified as a Base-level weakness (Medium abstraction). It has been observed in 15 real-world CVEs.