cvekit
LIVE
All CWEs

CWE-412

Unrestricted Externally Accessible Lock

BaseIncompleteSimple5 CVEs
The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.

Extended description

This prevents the product from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent.

Common consequences1

  • AvailabilityDoS: Resource Consumption (Other)

    When an attacker can control a lock, the program may wait indefinitely until the attacker releases the lock, causing a denial of service to other users of the program. This is especially problematic if there is a blocking operation on the lock.

Potential mitigations3

  1. Architecture and DesignImplementation

    Use any access control that is offered by the functionality that is offering the lock.

  2. Architecture and DesignImplementation

    Use unpredictable names or identifiers for the locks. This might not always be possible or feasible.

  3. Architecture and Design

    Consider modifying your code to use non-blocking synchronization methods.

Relationships2

CVEs referencing this CWE5

CVEDescriptionSeverityEPSSFlagsModified
CVE-2019-18269

Omron’s CS and CJ series PLCs have an unrestricted externally accessible lock vulnerability.

CRITICAL9.8
1.08%p61
2026-06-02
CVE-2023-38505

DietPi-Dashboard is a web dashboard for the operating system DietPi. The dashboard only allows for one TLS handshake to be in process at a given moment. Once a TCP connection is established in HTTPS mode, it will assume that it should be waiting for a handshake, and will stay this way indefinitely until a handshake starts or some error occurs. In version 0.6.1, this can be exploited by simply not starting the handshake, preventing any other TLS handshakes from getting through. An attacker can lock the dashboard in a state where it is waiting for a TLS handshake from the attacker, who won't provide it. This prevents any legitimate traffic from getting to the dashboard, and can last indefinitely. Version 0.6.2 has a patch for this issue. As a workaround, do not use HTTPS mode on the open internet where anyone can connect. Instead, put a reverse proxy in front of the dashboard, and have it handle any HTTPS connections.

HIGH7.5
0.65%p46
2024-11-21
CVE-2023-22318

Denial of service in Webconf in Tribe29 Checkmk Appliance before 1.6.5.

HIGH7.5
0.53%p41
2025-01-23
CVE-2019-11485

Sander Bos discovered Apport's lock file was in a world-writable directory which allowed all users to prevent crash handling.

LOW3.3
0.26%p17
2024-11-21
CVE-2026-25612

The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.

MEDIUM6.5
0.20%p10
2026-04-15