CWE-413

Improper Resource Locking

Base

What it is

The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.

When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the product. This might violate the product's assumption that the resource will not change, potentially leading to unexpected behaviors.

Impact

Integrity, Availability

Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart

Mitigations

[Architecture and Design] Use a non-conflicting privilege scheme.
[Architecture and Design, Implementation] Use synchronization when locking a resource.

Real-world CVE examples

CVE-2022-20141 — Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416).

Related weaknesses

CWE-667 (childof)

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →