The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.
View on MITREWhen a resource is not properly locked, an attacker could modify the resource while it is being operated on by the product. This might violate the product's assumption that the resource will not change, potentially leading to unexpected behaviors.
Use a non-conflicting privilege scheme.
Use synchronization when locking a resource.
No detection method information available for this CWE.
The following function attempts to acquire a lock in order to perform operations on a shared resource.
However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.
The following function attempts to acquire a lock in order to perform operations on a shared resource.
However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.
This Java example shows a simple BankAccount class with deposit and withdraw methods.
However, the deposit and withdraw methods have shared access to the account balance private class variable. This can result in a race condition if multiple threads attempt to call the deposit and withdraw methods simultaneously where the account balance is modified by one thread before another thread has completed modifying the account balance. For example, if a thread attempts to withdraw funds using the withdraw method before another thread that is depositing funds using the deposit method completes the deposit then there may not be sufficient funds for the withdraw transaction.
This Java example shows a simple BankAccount class with deposit and withdraw methods.
However, the deposit and withdraw methods have shared access to the account balance private class variable. This can result in a race condition if multiple threads attempt to call the deposit and withdraw methods simultaneously where the account balance is modified by one thread before another thread has completed modifying the account balance. For example, if a thread attempts to withdraw funds using the withdraw method before another thread that is depositing funds using the deposit method completes the deposit then there may not be sufficient funds for the withdraw transaction.
This Java example shows a simple BankAccount class with deposit and withdraw methods.
However, the deposit and withdraw methods have shared access to the account balance private class variable. This can result in a race condition if multiple threads attempt to call the deposit and withdraw methods simultaneously where the account balance is modified by one thread before another thread has completed modifying the account balance. For example, if a thread attempts to withdraw funds using the withdraw method before another thread that is depositing funds using the deposit method completes the deposit then there may not be sufficient funds for the withdraw transaction.
Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416).
View DetailsNo relationship information available for this CWE.
CWE-413: Improper Resource Locking is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the product. This might violate the product's assumption that the resource will not change, potentially leading to unexpected behaviors.
If exploited, CWE-413 (Improper Resource Locking) it can compromise Integrity and Availability, leading to outcomes such as Modify Application Data, DoS: Instability and DoS: Crash, Exit, or Restart.
Recommended mitigations for CWE-413 include: Use a non-conflicting privilege scheme. Use synchronization when locking a resource.
CWE-413 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-413, including CVE-2022-20141. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-413 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.