CWE-367

Medium likelihood

Time-of-check Time-of-use (TOCTOU) Race Condition

Parent: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

589 vulnerabilities with CWE-367
CVE-2026-26206 MEDIUM
Wazuh: API brute-force protection bypass via race condition in login attempt tracking
CVSS 6.5
CVE-2026-31535 MEDIUM
smb: client: make use of smbdirect_socket.recv_io.credits.available
CVSS 4.7
CVE-2026-41360 MEDIUM
OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding
CVSS 6.7
CVE-2026-41338 MEDIUM
OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File Operations
CVSS 5.0
CVE-2026-41337 MEDIUM
OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay
CVSS 5.3
CVE-2026-35376 MEDIUM
uutils coreutils chcon Security Bypass and Mandatory Access Control (MAC) Inconsistency via TOCTOU Race Condition
CVSS 4.5
CVE-2026-35374 MEDIUM
uutils coreutils split Arbitrary File Truncation via Time-of-Check to Time-of-Use (TOCTOU) Race Condition
CVSS 6.3
CVE-2026-35364 MEDIUM
uutils coreutils mv Arbitrary File Overwrite via Cross-Device TOCTOU Race Condition
CVSS 6.3
CVE-2026-35362 LOW
uutils coreutils Missing TOCTOU Protection on Non-Linux Unix Platforms in Safe Traversal Module
CVSS 3.6
CVE-2026-35360 MEDIUM
uutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition
CVSS 6.3
CVE-2026-35359 MEDIUM
uutils coreutils cp Information Disclosure via Time-of-Check to Time-of-Use Symlink Swap
CVSS 4.7
CVE-2026-35357 MEDIUM
uutils coreutils cp Information Disclosure via Permission Handling Race
CVSS 4.7
CVE-2026-35356 MEDIUM
uutils coreutils install Arbitrary File Overwrite with -D via Path Component Symlink Race
CVSS 6.3
CVE-2026-35355 MEDIUM
uutils coreutils install Arbitrary File Overwrite via Symlink TOCTOU Race
CVSS 6.3
CVE-2026-35354 MEDIUM
uutils coreutils mv Security Xattr TOCTOU Race in Cross-Device
CVSS 4.7
CVE-2026-35353 LOW
uutils coreutils mkdir Permission Exposure Race Condition with -m
CVSS 3.3
CVE-2026-35352 HIGH
uutils coreutils mkfifo Privilege Escalation via TOCTOU Race Condition
CVSS 7.0
CVE-2026-35345 MEDIUM
uutils coreutils tail Privileged Information Disclosure via Symlink Replacement Race
CVSS 5.3
CVE-2026-41651 HIGH
PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root
CVSS 8.8
CVE-2026-31523 MEDIUM
nvme-pci: ensure we're polling a polled queue
CVSS 4.7
CVE-2026-22751 MEDIUM
Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions
CVSS 4.8
CVE-2026-41296 HIGH
OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile
CVSS 8.2
CVE-2026-40896 MEDIUM
OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup
CVSS 6.5
CVE-2026-5958 LOW
Race Condition in GNU Sed
CVE-2026-3428 MEDIUM
Asus Member Center(华硕大厅) < 1.6.6.4 and earlier - Privilege Escalation
Details
Vulnerabilities 589
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits