race-condition
Safeguard articles tagged "race-condition" — guides, analysis, and best practices for software supply chain and application security.
10 articles
regreSSHion (CVE-2024-6387) Explained: A Signal-Handler Race That Reopened an Old OpenSSH RCE
CVE-2024-6387, regreSSHion, is an unauthenticated remote code execution flaw in OpenSSH's sshd caused by a signal-handler race — a regression of a bug fixed back in 2006.
Race Condition Vulnerabilities Explained
A race condition is a timing flaw where two operations that should happen in order overlap instead — enabling double-spends, TOCTOU bypasses, and kernel exploits.
Go Concurrency Security Pitfalls: When Data Races Become Vulnerabilities
A data race isn't just a flaky test — in the wrong place it's an auth bypass, a cross-request leak, or a denial of service. Here are the Go concurrency bugs that turn into security incidents.
Defender 'RoguePlanet' Zero-Day (CVE-2026-50656): SYSTEM on Fully Patched Windows
A race condition in Microsoft Defender, dubbed RoguePlanet, reportedly hands attackers SYSTEM privileges on fully updated Windows. We break down what is confirmed, what is still hedged, and what to do while the patch is in development.
regreSSHion revisited: defending against CVE-2024-6387 in 2026
How the regreSSHion race condition in OpenSSH sshd reintroduced an unauthenticated RCE on glibc Linux, what the patch trajectory looked like, and the supply chain habits it should change.
TOCTOU (Time-of-check to time-of-use)
TOCTOU flaws let attackers swap a file or resource after it's validated but before it's used, turning a safe check into an exploitable race.
Time-of-check to time-of-use (TOCTOU) race condition vulnerabilities
TOCTOU race conditions let attackers swap a resource between a security check and its use. Real CVEs, exploit mechanics, and prevention patterns explained.
BuildKit Mount Cache Race Condition Vulnerability (CVE-20...
CVE-2024-23651 is a high-severity BuildKit race condition that can expose host files to build containers via shared cache mounts. Here's the full breakdown.
Insecure Temporary File Creation
Insecure temp file creation (CWE-377) still causes real CVEs today — from JUnit4 to npm's tmp package. Here's how the race condition works and how to stop it.
Race Conditions (TOCTOU) in Application Code
From Dirty COW to runc's CVE-2021-30465, TOCTOU race conditions keep slipping past code review. Here's why they're invisible to standard tooling — and how to catch them.