Security vulnerabilities and automated fixes for race condition issues
2 posts found
A medium-severity TOCTOU (Time-of-Check to Time-of-Use) race condition vulnerability was discovered and fixed in a Rust application's lock file creation logic, where an attacker could exploit the window between a file existence check and its creation to redirect writes to an attacker-controlled path via a symlink. The fix applies the `O_NOFOLLOW` flag on Unix systems, ensuring the OS refuses to follow symlinks at the lock file path and fails loudly instead of silently writing to an attacker-cont
A critical use-after-free vulnerability was discovered and patched in the multi-threaded ICMP processing path of a Windows/Cygwin network probing library, where freed memory pointers were not nullified, creating a dangerous race condition between concurrent threads. Left unpatched, this flaw could allow attackers to corrupt heap metadata, potentially leading to arbitrary code execution or denial of service. The fix ensures that dangling pointers are eliminated immediately after memory is freed,