Time-of-Check to Time-of-Use (TOCTOU) is a race condition vulnerability that occurs when a resource is checked for a particular state, but that state changes before the resource is actually used. This invalidates the original check and can be exploited by an attacker to escalate privileges, overwrite files, or bypass security controls. TOCTOU typically arises in scenarios involving shared mutable resources or concurrent operations (e.g., multithreading, multiprocessing, or filesystem access).
Remediation
Avoid branching logic based on mutable resources when a time gap exists between the check and the action.
Ensure atomic operations on resources wherever possible (e.g., use OS-provided system calls that combine check-and-use in one operation).
Apply proper locking or synchronisation primitives to prevent concurrent modification of shared resources.
For file operations, use secure APIs (e.g., `open(O_CREAT|O_EXCL)` on POSIX) that guarantee atomicity.
For more information refer to https://learn.secdim.com/course/steam-privilege-escalation/topic/toctou[Steam Privilege Escalation] mini course on SecDim Learn.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
