Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-366: Race Condition within a Thread

Race Condition within a Thread
Weakness ID: 366 (Weakness Base)Status: Draft
+ Description

Description Summary

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms






+ Common Consequences

Technical Impact: Alter execution logic; Unexpected state

The main problem is that -- if a lock is overcome -- data could be altered in a bad state.

+ Likelihood of Exploit


+ Demonstrative Examples

Example 1

(Bad Code)
Example Languages: C and C++ 
int foo = 0;
int storenum(int num) {
static int counter = 0;
if (num > foo) foo = num;
return foo;
(Bad Code)
Example Language: Java 
public classRace {
static int foo = 0;
public static void main() {

new Threader().start();
foo = 1;
public static class Threader extends Thread {

public void run() {
+ Potential Mitigations

Phase: Architecture and Design

Use locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment.

Phase: Architecture and Design

Create resource-locking sanity checks. If no inherent locking mechanisms exist, use flags and signals to enforce your own blocking scheme when resources are being used by other threads of execution.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory557Concurrency Issues
Development Concepts699
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory748CERT C Secure Coding Section 50 - POSIX (POS)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfCategoryCategory852CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory882CERT C++ Secure Coding Section 14 - Concurrency (CON)
Weaknesses Addressed by the CERT C++ Secure Coding Standard (primary)868
ChildOfCategoryCategory894SFP Cluster: Synchronization
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness BaseWeakness Base365Race Condition in Switch
Research Concepts1000
+ Affected Resources
  • System Process
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPRace condition within a thread
CERT C Secure CodingPOS00-CAvoid race conditions with multiple threads
CERT Java Secure CodingVNA02-JEnsure that compound operations on shared variables are atomic
CERT Java Secure CodingVNA03-JDo not assume that a group of calls to independently atomic methods is atomic
CERT C++ Secure CodingCON02-CPPUse lock classes for mutex management
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 13: Race Conditions." Page 205. McGraw-Hill. 2010.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 13, "Race Conditions", Page 759.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submission DateSubmitterOrganizationSource
Externally Mined
Modification DateModifierOrganizationSource
updated Time_of_Introduction
updated Applicable_Platforms, Common_Consequences, Relationships, Taxonomy_Mappings
updated Relationships, Taxonomy_Mappings
updated Potential_Mitigations, Relationships
updated Common_Consequences, Relationships, Taxonomy_Mappings
updated Common_Consequences
updated Relationships, Taxonomy_Mappings
updated References, Relationships
Page Last Updated: June 23, 2014