CWE-362— Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.— MITRE CWE catalog
2,207 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-362page 40 of 45
- CVE-2026-13874MEDIUMCVSS 5.3EG 5.32026-06-30
Race in DataTransfer in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-13882CRITICALCVSS 9.6EG 9.62026-06-30
Race in USB in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-13905MEDIUMCVSS 4.2EG 4.22026-06-30
Race in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via physical access to the device. (Chromium security severity: Medium)
- CVE-2026-14015MEDIUMCVSS 6.5EG 6.52026-06-30
Race in WebRTC in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-14082MEDIUMCVSS 6.5EG 6.52026-06-30
Race in Storage in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-14133MEDIUMCVSS 4.2EG 4.22026-07-01
Race in History Embeddings in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-15119HIGHCVSS 8.3EG 8.32026-07-08
Race in GetUserMedia in Google Chrome prior to 150.0.7871.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-20617HIGHCVSS 7.0EG 7.02026-02-11
A race condition was addressed with improved state handling. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An app may be able to gain root privileges.
- CVE-2026-20677CRITICALCVSS 9.0EG 9.02026-02-11
A race condition was addressed with improved handling of symbolic links. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A shortcut may be able to bypass …
- CVE-2026-20808HIGHCVSS 7.0EG 7.02026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Printer Association Object allows an authorized attacker to elevate privileges locally.
- CVE-2026-20814HIGHCVSS 7.0EG 7.02026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally.
- CVE-2026-20815HIGHCVSS 7.0EG 7.02026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.
- CVE-2026-20826HIGHCVSS 7.8EG 7.82026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to elevate privileges locally.
- CVE-2026-20830HIGHCVSS 7.0EG 7.02026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.
- CVE-2026-20836HIGHCVSS 7.0EG 7.02026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally.
- CVE-2026-20844HIGHCVSS 7.4EG 7.42026-01-13
Use after free in Windows Clipboard Server allows an unauthorized attacker to elevate privileges locally.
- CVE-2026-20848HIGHCVSS 7.5EG 7.52026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20853HIGHCVSS 7.4EG 7.42026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows WalletService allows an unauthorized attacker to elevate privileges locally.
- CVE-2026-20858HIGHCVSS 7.8EG 7.82026-01-13
Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20861HIGHCVSS 7.8EG 7.82026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20866HIGHCVSS 7.8EG 7.82026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20867HIGHCVSS 7.8EG 7.82026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20869HIGHCVSS 7.0EG 7.02026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally.
- CVE-2026-20873HIGHCVSS 7.8EG 7.82026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20874HIGHCVSS 7.8EG 7.82026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20877HIGHCVSS 7.8EG 7.82026-01-13
Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20918HIGHCVSS 7.8EG 7.82026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20919HIGHCVSS 7.5EG 7.52026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20921HIGHCVSS 7.5EG 7.52026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20924HIGHCVSS 7.8EG 7.82026-01-13
Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20926HIGHCVSS 7.5EG 7.52026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20927MEDIUMCVSS 5.3EG 5.32026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network.
- CVE-2026-20930HIGHCVSS 7.8EG 7.82026-04-14
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
- CVE-2026-20934HIGHCVSS 7.5EG 7.52026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
- CVE-2026-21221HIGHCVSS 7.0EG 7.02026-01-13
Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.
- CVE-2026-21231HIGHCVSS 7.8EG 7.82026-02-10
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally.
- CVE-2026-21234HIGHCVSS 7.0EG 7.02026-02-10
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.
- CVE-2026-21237HIGHCVSS 7.0EG 7.02026-02-10
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally.
- CVE-2026-21697HIGHCVSS 8.1EG 8.12026-01-07
axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly m…
- CVE-2026-22548MEDIUMCVSS 5.9EG 5.92026-02-04
When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate. Note: Software versions which have reac…
- CVE-2026-22701MEDIUMCVSS 5.3EG 5.32026-01-10
filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permiss…
- CVE-2026-22702MEDIUMCVSS 4.5EG 4.52026-01-10
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation…
- CVE-2026-22851MEDIUMCVSS 5.9EG 5.92026-01-14
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer…
- CVE-2026-22856HIGHCVSS 8.1EG 8.12026-01-14
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another read…
- CVE-2026-22986MEDIUMCVSS 4.7EG 4.72026-01-23
In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for gdev->srcu If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc()…
- CVE-2026-23004HIGHCVSS 7.8EG 4.72026-01-25
In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Cras…
- CVE-2026-23071CVSS 0.0EG 4.72026-02-04
In the Linux kernel, the following vulnerability has been resolved: regmap: Fix race condition in hwspinlock irqsave routine Previously, the address of the shared member '&map->spinlock_flags' was passed directly to 'hwspin_lock_timeout_…
- CVE-2026-23110CVSS 0.0EG 4.72026-02-04
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error …
- CVE-2026-23115MEDIUMCVSS 4.7EG 4.72026-02-14
In the Linux kernel, the following vulnerability has been resolved: serial: Fix not set tty->port race condition Revert commit bfc467db60b7 ("serial: remove redundant tty_port_link_device()") because the tty_port_link_device() is not red…
- CVE-2026-23118MEDIUMCVSS 4.7EG 4.72026-02-14
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix data-race warning and potential load/store tearing Fix the following: BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet …
Map vulnerabilities like CWE-362 to your infrastructure
EchelonGraph correlates every CVE — across CWE-362 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →