CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

BaseIncompleteExploit Likelihood: Medium

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition?+

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

What are the security consequences of Time-of-check Time-of-use (TOCTOU) Race Condition?+

If exploited, CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) it can compromise Integrity, Other and Non-Repudiation, leading to outcomes such as Alter Execution Logic, Unexpected State, Modify Application Data, Modify Files or Directories, Modify Memory and Other.

How do you prevent or mitigate Time-of-check Time-of-use (TOCTOU) Race Condition?+

Recommended mitigations for CWE-367 include: The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check. When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement. Limit the interleaving of operations on files from multiple processes.

Which programming languages are affected by Time-of-check Time-of-use (TOCTOU) Race Condition?+

CWE-367 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Time-of-check Time-of-use (TOCTOU) Race Condition?+

MITRE documents real CVEs mapped to CWE-367, including CVE-2015-1743, CVE-2003-0813, CVE-2004-0594, CVE-2008-2958 and CVE-2008-1570. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-367 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More