Race-Condition

Gotenberg is vulnerable to a remote denial-of-service (DoS) in multipart `downloadFrom` handling, where a crafted multipart request with multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization, leading to process termination.

Open WebUI versions 0.8.12 and earlier are vulnerable to a time-of-check-time-of-use (TOCTOU) race condition in the LDAP and OAuth authentication flows, allowing multiple concurrent requests on a fresh instance to bypass the first-user admin role assignment and resulting in multiple admin accounts (CVE-2026-45675).

CVE-2026-34351 is a race condition vulnerability in Windows TCP/IP that allows an authorized attacker to elevate privileges locally.

CVE-2026-34345 describes a race condition vulnerability in Windows Ancillary Function Driver for WinSock, allowing an authorized attacker to elevate privileges locally.

CVE-2026-34342 is a race condition vulnerability in Windows Print Spooler Components that allows an authorized attacker to elevate privileges locally.

CVE-2026-34334 describes a race condition vulnerability within Windows TCP/IP, enabling a locally authorized attacker to escalate privileges.

CVE-2026-34331 describes a race condition vulnerability in Windows Win32K - GRFX that allows an authorized attacker to elevate privileges locally due to improper synchronization when accessing shared resources.

CVE-2026-33839 is a race condition vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to elevate privileges.

CVE-2026-32161 is a race condition vulnerability in the Windows Native WiFi Miniport Driver that allows an unauthorized attacker to execute code over an adjacent network.

CVE-2025-38717 is a race condition vulnerability in the kcm_unattach() function of a Microsoft product, potentially leading to denial of service or privilege escalation.

CVE-2025-68146 describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the filelock library that could allow for symlink attacks during lock file creation, potentially leading to unauthorized file access or modification.

CVE-2026-27911 is a race condition vulnerability in the Windows User Interface Core that allows a local attacker to elevate privileges due to improper synchronization when accessing shared resources.

CVE-2026-33827 is a race condition vulnerability in Windows TCP/IP that allows an attacker to execute arbitrary code over the network by exploiting improper synchronization during concurrent execution using shared resources.

CVE-2026-32160 describes a race condition vulnerability in Windows Push Notifications that allows a locally authorized attacker to elevate privileges.

CVE-2026-32158 is a race condition vulnerability in Windows Push Notifications that allows an authorized attacker to elevate privileges locally due to improper synchronization when using shared resources.

CVE-2026-26172 is a race condition vulnerability in Windows Push Notifications, allowing a locally authenticated attacker to elevate privileges.

CVE-2026-27927 is a race condition vulnerability in the Windows Projected File System that allows an authorized attacker to escalate privileges locally.

CVE-2026-27926 is a race condition vulnerability in the Windows Cloud Files Mini Filter Driver that allows a local attacker to elevate privileges.

CVE-2026-32159 is a race condition vulnerability in Windows Push Notifications, allowing a local attacker with low privileges to elevate privileges by exploiting concurrent execution using a shared resource with improper synchronization.

CVE-2026-32091 is a race condition vulnerability in the Microsoft Brokering File System, allowing an unauthenticated local attacker to escalate privileges.

CVE-2026-27918 is a race condition vulnerability in Windows Shell, allowing a local attacker to elevate privileges due to improper synchronization when accessing shared resources.

Lakeside SysTrack Agent 11 before 11.2.1.28 is vulnerable to a race condition that allows for local privilege escalation to SYSTEM, as tracked by CVE-2026-35099.

Unauthenticated attackers can exploit CVE-2026-3055 (out-of-bounds read) to exfiltrate sensitive data from NetScaler ADC and Gateway, while CVE-2026-4368 (race condition) enables user session hijacking, necessitating immediate patching and enhanced monitoring.

RegPwnBOF exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism, enabling a normal user to write arbitrary values to protected HKLM registry keys for persistence and privilege escalation.

A race condition vulnerability (CVE-2019-8565) exists in macOS where a privileged XPC service, com.apple.appleseed.fbahelperd, improperly validates XPC messages based on process ID, allowing an unprivileged process to escalate privileges to root.

A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.