CWE-820: Missing Synchronization | Glexia
CWE-820 (Missing Synchronization) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK context.
Glexia's Take · Automated analysis
CWE-820: Missing Synchronization
Missing Synchronization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Integrity,Confidentiality,Other: Modify Application Data,Read Application Data,Alter Execution Logic
Developer Pattern
CWE-820 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Automation confidence
high confidence from CWE-820, 4.20.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Official CWE Definition
CWE-820: Missing Synchronization
The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the product. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- The following code intends to fork a process, then have both the parent and child processes print a single line. One might expect the code to print out something like:, ,However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as:,
Remediation
- Use safe APIs
- Centralize the control
- Add regression tests
- Review logs and telemetry for attempted abuse
Detection
- Code review
- SAST
- DAST
- Focused regression tests
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-1096: Singleton Class Instance Creation without Proper Locking or Synchronization
- CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context
- CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context
- CWE-662: Improper Synchronization
- CWE-662: Improper Synchronization
- CWE-662: Improper Synchronization
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.
