Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  

CWE-820: Missing Synchronization

Weakness ID: 820
Abstraction: Base
Structure: Simple
Status: Incomplete
Presentation Filter:
+ Description
The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
+ Extended Description
If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.
+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
+ Relevant to the view "Development Concepts" (CWE-699)
+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.


Technical Impact: Modify Application Data; Read Application Data; Alter Execution Logic

+ Demonstrative Examples

Example 1

The following code intends to fork a process, then have both the parent and child processes print a single line.

(bad code)
Example Language:
static void print (char * string) {
char * word;
int counter;
for (word = string; counter = *word++; ) {
putc(counter, stdout);
/* Make timing window a little larger... */




int main(void) {
pid_t pid;

pid = fork();
if (pid == -1) {

else if (pid == 0) {

else {



One might expect the code to print out something like:


However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as:

[blank line]
[blank line]

+ Memberships
This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
MemberOfCategoryCategory853CERT Java Secure Coding Section 08 - Locking (LCK)
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT Java Secure CodingLCK05-JSynchronize access to static fields that can be modified by untrusted code
+ Content History
Submission DateSubmitterOrganization
2010-08-06CWE Content TeamMITRE
Modification DateModifierOrganization
2010-12-13CWE Content TeamMITRE
updated Demonstrative_Examples, Relationships
2011-06-01CWE Content TeamMITRE
updated Common_Consequences, Relationships, Taxonomy_Mappings
2013-07-17CWE Content TeamMITRE
updated Relationships
2017-11-08CWE Content TeamMITRE
updated Demonstrative_Examples

More information is available — Please select a different filter.
Page Last Updated: January 18, 2018