CWE-367 678 个 CVE MITRE 定义 ↗

CWE-367:Time-of-check Time-of-use (TOCTOU) Race Condition

概览

CWE-367(Time-of-check Time-of-use (TOCTOU) Race Condition)描述一种在漏洞数据库与安全评估中使用的弱点类型;定义、背景与映射 CVE 见下方各节。

安全影响
安全影响:因产品与场景而异;请结合 CVE 记录、严重度评分与 MITRE 说明进行优先级判断。

描述

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

适用平台

类型 名称 普遍性 OS / CPE
language Not Language-Specific Undetermined

本库相关 CVE

下列 CVE 在本库中映射到该弱点,并保留以便追溯与检索。

CVE 公开时间 摘要
CVE-2026-58198 2026-07-09 ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract() uses a predictable home-rooted output directory (~/ubuntu_data/ubu…
CVE-2025-58151 2026-07-09 varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF. Within varstored, th…
CVE-2026-54777 2026-07-08 CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF NetNamedPipe transport accepts attachment to a pre-existing named pipe i…
CVE-2026-43927 2026-07-06 FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond …
CVE-2026-25271 2026-07-06 Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use.
CVE-2026-58299 2026-07-03 Time-of-check time-of-use (toctou) race condition in Microsoft Edge for Android allows an unauthorized attacker to execute code over a network.
CVE-2026-55950 2026-07-02 Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener. …
CVE-2026-24260 2026-07-01 NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. A successful exploit of this vulnerability might lead to code exec…
CVE-2026-12374 2026-07-01 Improper certificate validation and a time-of-check time-of-use (TOCTOU) race condition in the PrivilegedHelperTool XPC service in Cato Client before v.5.13.1 on macOS allows a local authenticated att…
CVE-2026-14160 2026-06-29 Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot allows Leveraging Race Conditions. This issue affects Escargot: bab3a5797557014ce3c2e28419a6310cfba90d0…
CVE-2026-57959 2026-06-29 Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem …
CVE-2026-13742 2026-06-29 Honeywell IQ MultiAccess, all versions prior to and including version 28, contain an improper digital signature verification vulnerability. An attacker could potentially exploit this vulnerability, le…
CVE-2026-54370 2026-06-29 acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbo…
CVE-2026-13502 2026-06-28 A flaw has been found in antlr ANTLR4 up to 4.13.2. This affects the function ObjectInputStream.readObject of the file antlr4-maven-plugin/src/main/java/org/antlr/mojo/antlr4/GrammarDependencies.java …
CVE-2026-54353 2026-06-26 Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow valid…
CVE-2026-52885 2026-06-26 Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the …
CVE-2026-53250 2026-06-25 In the Linux kernel, the following vulnerability has been resolved: xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() The TX metadata area resides in the UMEM buffer which is mem…
CVE-2026-53145 2026-06-25 In the Linux kernel, the following vulnerability has been resolved: drm/gem: Try to fix change_handle ioctl, attempt 4 [airlied: just added some comments on how to reenable] On-list because the cat …
CVE-2026-53945 2026-06-24 Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost…
CVE-2026-52991 2026-06-24 In the Linux kernel, the following vulnerability has been resolved: sched/psi: fix race between file release and pressure write A potential race condition exists between pressure write and cgroup fi…

曾用名

  • Time-of-check Time-of-use Race Condition (2008-10-14)

内容提交

名称
PLOVER
日期
2006-07-19
版本
Draft 3

内容修订

日期 名称 版本 重要性 评论
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-08-01 1.0 added/updated white box definitions
2008-09-08 CWE Content Team 1.0 updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14 CWE Content Team 1.0.1 updated Description, Name, Relationships
2008-11-24 CWE Content Team 1.1 updated Relationships, Taxonomy_Mappings
2009-01-12 CWE Content Team 1.2 updated Alternate_Terms, Observed_Examples, Other_Notes, References, Relationship_Notes, Relationships, Research_Gaps
2009-05-27 CWE Content Team 1.4 updated Demonstrative_Examples
2009-07-17 KDM Analytics 1.5 Improved the White_Box_Definition
2009-07-27 CWE Content Team 1.5 updated White_Box_Definitions
2010-09-27 CWE Content Team 1.10 updated Description, Relationships
2010-12-13 CWE Content Team 1.11 updated Alternate_Terms, Relationships
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2011-06-27 CWE Content Team 2.0 updated Common_Consequences
2011-09-13 CWE Content Team 2.1 updated Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, Observed_Examples, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Demonstrative_Examples, Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated References, Relationships
2022-04-28 CWE Content Team 4.7 updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
2022-06-28 CWE Content Team 4.8 updated Observed_Examples
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-04-03 CWE Content Team 4.17 updated Affected_Resources, Observed_Examples
2025-09-09 CWE Content Team 4.18 updated Common_Consequences, Description, Diagram, Modes_of_Introduction
2025-12-11 CWE Content Team 4.19 updated Weakness_Ordinalities
cvelogic Threat Intelligence