LiveActive security incident?Get immediate response
CWE Reference

CWE-820: Missing Synchronization | Glexia

CWE-820 (Missing Synchronization) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK context.

Release 4.20weaknessIncomplete

Glexia's Take · Automated analysis

CWE-820: Missing Synchronization

Missing Synchronization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Integrity,Confidentiality,Other: Modify Application Data,Read Application Data,Alter Execution Logic

Developer Pattern

CWE-820 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Automation confidence

high confidence from CWE-820, 4.20.

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Official CWE Definition

CWE-820: Missing Synchronization

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the product. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

Type
weakness
Abstraction
Base
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The following code intends to fork a process, then have both the parent and child processes print a single line. One might expect the code to print out something like:, ,However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as:,

Remediation

  • Use safe APIs
  • Centralize the control
  • Add regression tests
  • Review logs and telemetry for attempted abuse

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context