LiveActive security incident?Get immediate response
CVE Record

CVE-2014-9748: The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not prope...

The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is an old libuv locking bug affecting the Windows XP and Server 2003 fallback path before libuv 1.7.4. It can let one thread release another thread’s lock, creating a race condition that may deadlock an application and cause denial of service. Public data does not show active exploitation.

Executive priority

Treat this as a legacy-platform availability risk. It should not outrank actively exploited vulnerabilities, but any remaining XP or Server 2003 systems running old libuv-dependent software deserve prompt inventory and retirement planning.

Technical view

CVE-2014-9748 concerns uv_rwlock_t in libuv before 1.7.4 on Windows XP and Server 2003 fallback implementations. The lock ownership check is insufficient, so cross-thread unlock behavior can occur. The documented impact is denial of service through deadlock, with possible unspecified additional impact.

Likely exposure

Exposure is most likely in legacy applications embedding libuv before 1.7.4 and still running on Windows XP or Windows Server 2003. The provided affected-product data is incomplete, so downstream products should be verified through software inventory rather than assumed.

Exploitation context

The source bundle marks KEV as false and provides no cited evidence of active exploitation. Public references point to libuv and Node.js issue or pull-request discussions, but the bundle does not establish weaponized exploitation or a specific attack path.

Researcher notes

The public record is sparse: no CVSS, no CWE, and affected vendor/product values are not meaningful. The clearest scope is libuv before 1.7.4 on XP/Server 2003 fallback locking code. Avoid extrapolating to modern Windows implementations without vendor evidence.

Mitigation direction

  • Inventory applications and embedded components using libuv.
  • Upgrade libuv to 1.7.4 or later where applicable.
  • Retire Windows XP and Server 2003 deployments where feasible.
  • Check libuv and downstream vendor guidance for supported fixes.
  • Monitor legacy services for unexplained deadlocks or availability failures.

Validation and detection

  • Confirm whether any deployed software embeds libuv before 1.7.4.
  • Identify deployments running on Windows XP or Server 2003.
  • Review vendor advisories for downstream products using libuv.
  • Check service logs for deadlock-related availability incidents.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2014-9748 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
5Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.