shared × unstructured — bad data written permanently, and it spreads

Torn Write / Lost-Update Corruption

Two threads write one shared buffer at an unvalidated offset with no lock; their writes overlap and run past the end, leaving permanent corruption no single thread would produce.

01the recipe

In the wild

compound ofRace ConditionsCWE-366 Thread RaceLack of Input ValidationCWE-20 Input ValidationcompoundCWE-787 OOB Write

example.c

// SMELL: concurrent writers, unvalidated offset, no lock.
// (race conditions x lack of input validation)
char buf[256];
void write_at(int off, const char *s, int n) {
    memcpy(buf + off, s, n);      // off/n come from input, unchecked;
}                                 // concurrent calls overlap -> torn, OOB write

// RIGHT: validate the bounds, then serialize the writers with a lock.
void write_at(int off, const char *s, int n) {
    if (off < 0 || n < 0 || off + n > (int)sizeof buf) return;
    pthread_mutex_lock(&m);
    memcpy(buf + off, s, n);
    pthread_mutex_unlock(&m);
}

An unvalidated offset plus no synchronization lets two writers interleave on one buffer; their writes overlap and spill past the end, leaving the shared buffer corrupted in a way no single thread would reach. Validate the bounds and serialize the writers.

// observed

race: concurrent unchecked writes overlap -> buffer corrupted (intermittent)
right: bounds checked + writes serialized -> every write lands intact

02weakness catalog

Mapped weaknesses (CWE)

On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.