CWE-367— Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.— MITRE CWE catalog
659 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-367page 14 of 14
- CVE-2026-5947MEDIUMCVSS 5.9EG 7.52026-05-20
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursi…
- CVE-2026-5958LOWCVSS 2.1EG 2.12026-04-20
When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved pat…
- CVE-2026-6180HIGHCVSS 8.1EG 8.12026-05-05
A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly proce…
- CVE-2026-6733LOWCVSS 3.7EG 3.72026-06-17
Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When…
- CVE-2026-7724MEDIUMCVSS 5.0EG 5.02026-05-04
A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is…
- CVE-2026-7791HIGHCVSS 7.8EG 7.82026-05-04
Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary loc…
- CVE-2026-7837LOWCVSS 3.7EG 3.72026-05-21
A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race cond…
- CVE-2026-7846LOWCVSS 2.6EG 2.62026-05-05
A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload A…
- CVE-2026-9796MEDIUMCVSS 6.5EG 6.52026-05-28
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their p…
Map vulnerabilities like CWE-367 to your infrastructure
EchelonGraph correlates every CVE — across CWE-367 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →