CWE-362— Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.— MITRE CWE catalog
2,207 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-362page 43 of 45
- CVE-2026-34856HIGHCVSS 7.3EG 7.32026-04-13
UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.
- CVE-2026-34857MEDIUMCVSS 4.7EG 4.72026-04-13
UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.
- CVE-2026-34858MEDIUMCVSS 4.1EG 4.12026-04-13
UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.
- CVE-2026-34861MEDIUMCVSS 6.3EG 6.32026-04-13
Race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability.
- CVE-2026-34862MEDIUMCVSS 6.3EG 6.32026-04-13
Race condition vulnerability in the power consumption statistics module. Impact: Successful exploitation of this vulnerability may affect availability.
- CVE-2026-35099HIGHCVSS 7.4EG 7.42026-04-01
Lakeside SysTrack Agent 11 before 11.5.0.15 has a race condition with resultant local privilege escalation to SYSTEM. The fixed versions are 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15.
- CVE-2026-35554HIGHCVSS 8.7EG 8.72026-04-07
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containi…
- CVE-2026-39880MEDIUMCVSS 5.0EG 5.02026-04-08
Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register…
- CVE-2026-40155MEDIUMCVSS 5.4EG 5.42026-04-17
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper look…
- CVE-2026-40178MEDIUMCVSS 5.9EG 5.92026-04-10
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. This …
- CVE-2026-40943HIGHCVSS 8.7EG 8.72026-04-21
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking …
- CVE-2026-41458HIGHCVSS 8.2EG 8.22026-04-22
OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attac…
- CVE-2026-41913LOWCVSS 3.7EG 3.72026-04-28
OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultane…
- CVE-2026-41964HIGHCVSS 8.4EG 8.42026-05-15
Permission control vulnerability in the web. Impact: Successful exploitation of this vulnerability may affect availability.
- CVE-2026-42099HIGHCVSS 7.5EG 7.52026-05-19
Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__…
- CVE-2026-42487HIGHCVSS 7.9EG 7.92026-06-18
HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed at any time. Traversal of those…
- CVE-2026-42594HIGHCVSS 7.5EG 7.52026-05-14
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recyc…
- CVE-2026-42836HIGHCVSS 7.0EG 7.02026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
- CVE-2026-42909HIGHCVSS 7.5EG 7.52026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-42912HIGHCVSS 7.0EG 7.02026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
- CVE-2026-42913HIGHCVSS 7.5EG 7.52026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-42977HIGHCVSS 7.8EG 7.82026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
- CVE-2026-42978HIGHCVSS 7.8EG 7.82026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
- CVE-2026-42979HIGHCVSS 7.8EG 7.82026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
- CVE-2026-42991HIGHCVSS 7.8EG 7.82026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
- CVE-2026-43023HIGHCVSS 7.8EG 7.82026-05-01
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: fix race conditions in sco_sock_connect() sco_sock_connect() checks sk_state and sk_type without holding the socket lock. Two concurrent connect() syscal…
- CVE-2026-43116HIGHCVSS 7.8EG 7.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making…
- CVE-2026-43121MEDIUMCVSS 4.7EG 4.72026-05-06
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed…
- CVE-2026-43163MEDIUMCVSS 4.7EG 4.72026-05-06
In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] …
- CVE-2026-43198CRITICALCVSS 9.8EG 9.82026-05-06
In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock()…
- CVE-2026-43275MEDIUMCVSS 4.7EG 4.72026-05-06
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime…
- CVE-2026-43342MEDIUMCVSS 4.7EG 4.72026-05-08
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Protect RNDIS options with mutex The class/subclass/protocol options are suspectible to race conditions as they can be accessed concurrently throug…
- CVE-2026-43353HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time…
- CVE-2026-43415MEDIUMCVSS 4.7EG 4.72026-05-08
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is …
- CVE-2026-43430MEDIUMCVSS 4.7EG 4.72026-05-08
In the Linux kernel, the following vulnerability has been resolved: usb: yurex: fix race in probe The bbu member of the descriptor must be set to the value standing for uninitialized values before the URB whose completion handler sets bb…
- CVE-2026-43439MEDIUMCVSS 4.7EG 4.72026-05-08
In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tas…
- CVE-2026-43448MEDIUMCVSS 4.7EG 4.72026-05-08
In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_…
- CVE-2026-43659MEDIUMCVSS 4.7EG 4.72026-05-11
A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to acc…
- CVE-2026-4368HIGHCVSS 7.7EG 7.72026-03-23
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup
- CVE-2026-43743MEDIUMCVSS 4.7EG 4.72026-06-29
A race condition was addressed with improved state handling. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. An app may be able to cause unexpected system termination.
- CVE-2026-43930MEDIUMCVSS 5.9EG 5.92026-05-12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requ…
- CVE-2026-43981HIGHCVSS 8.2EG 8.22026-05-26
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not…
- CVE-2026-44059MEDIUMCVSS 4.5EG 4.52026-05-21
A race condition in the privilege toggle mechanism in Netatalk 2.2.5 through 4.4.2 allows a local attacker to obtain limited information, modify limited data, or cause a minor service disruption.
- CVE-2026-44318MEDIUMCVSS 6.5EG 6.52026-05-27
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the m…
- CVE-2026-44443MEDIUMCVSS 4.8EG 4.82026-05-26
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin'…
- CVE-2026-44693HIGHCVSS 8.8EG 8.82026-06-10
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 r…
- CVE-2026-44818HIGHCVSS 7.0EG 7.02026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
- CVE-2026-45090HIGHCVSS 7.5EG 7.52026-05-27
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The chan…
- CVE-2026-45596HIGHCVSS 7.0EG 7.02026-06-09
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
- CVE-2026-45597HIGHCVSS 7.0EG 7.02026-06-09
Concurrent execution using shared resource with improper synchronization ('race condition') in UI Automation Manager (uiamanager.dll) allows an authorized attacker to elevate privileges locally.
Map vulnerabilities like CWE-362 to your infrastructure
EchelonGraph correlates every CVE — across CWE-362 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →