CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
- Abstraction:Base
- Structure:Simple
- Status:Incomplete
- Release Date:2006-07-19
- Latest Modification Date:2025-09-09
Weakness Name
Time-of-check Time-of-use (TOCTOU) Race Condition
Description
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Common Consequences
Scope: Integrity, Other
Impact: Alter Execution Logic, Unexpected State
Notes: The attacker can gain access to otherwise unauthorized resources.
Scope: Integrity, Other
Impact: Modify Application Data, Modify Files or Directories, Modify Memory, Other
Notes: Race conditions such as this kind may be employed to gain read or write access to resources which are not normally readable or writable by the user in question.
Scope: Integrity, Other
Impact: Other
Notes: The resource in question, or other resources (through the corrupted one), may be changed in undesirable ways by a malicious user.
Scope: Non-Repudiation
Impact: Hide Activities
Notes: If a file or other resource is written in this method, as opposed to in a valid way, logging of the activity may not occur.
Scope: Non-Repudiation, Other
Impact: Other
Notes: In some cases it may be possible to delete files a malicious user might not otherwise have access to, such as log files.
Scope: Other
Impact: Unexpected State
Notes: The product may perform invalid actions when the resource is in an unexpected state.
Related Weaknesses
CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')Medium