Comprehensive Categorization: Concurrency

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to concurrency.


Call to Thread run() instead of start()

The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a ...

Context Switching Race Condition

A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker...

Dangerous Signal Handler not Disabled During Sensitive Operations

The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while...


The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

Double-Checked Locking

The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.

EJB Bad Practices: Use of Synchronization Primitives

The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.

Hardware Internal or Debug Modes Allow Override of Locks

System configuration protection may be bypassed during debug mode.

Hardware Logic Contains Race Conditions

A race condition in the hardware logic results in undermining security guarantees of the system.

Hardware Logic with Insecure De-Synchronization between Control and Data Channels

The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.

Improper Lock Behavior After Power State Transition

Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power...

Improper Locking

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Improper Resource Locking

The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.

Incorrect Synchronization

The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.

Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element

The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member d...

Missing Lock Check

A product does not check to see if a lock is present before performing sensitive operations on a resource.

Missing Synchronization

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

Multiple Locks of a Critical Resource

The product locks a critical resource more times than intended, leading to an unexpected state in the system.

Multiple Unlocks of a Critical Resource

The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.

Permission Race Condition During Resource Copy

The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to...

Race Condition Enabling Link Following

The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the acce...

Race Condition for Write-Once Attributes

A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition ...

Race Condition within a Thread

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution...

Sensitive Data Storage in Improperly Locked Memory

The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk b...

Signal Handler Function Associated with Multiple Signals

The product defines a function that is used as a handler for more than one signal.

Signal Handler Race Condition

The product uses a signal handler that introduces a race condition.

Signal Handler Use of a Non-reentrant Function

The product defines a signal handler that calls a non-reentrant function.

Signal Handler with Functionality that is not Asynchronous-Safe

The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.

Singleton Class Instance Creation without Proper Locking or Synchronization

The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only in...

Synchronous Access of Remote Resource without Timeout

The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the ...

Unlock of a Resource that is not Locked

The product attempts to unlock a resource that is not locked.

Unrestricted Externally Accessible Lock

The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of ...

Unsynchronized Access to Shared Data in a Multithreaded Context

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Use of a Non-reentrant Function in a Concurrent Context

The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call t...

Use of getlogin() in Multithreaded Application

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

Use of Singleton Pattern Without Synchronization in a Multithreaded Context

The product uses the singleton pattern when creating a resource within a multithreaded environment.


Comprehensive Categorization for Software Assurance Trends

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...

See Also

  1. CVE --> CWE Mapping Guidance - Quick Tips


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.