Time of Check Time of Use

Time-of-Check to Time-of-Use (TOCTOU) is a race condition vulnerability that occurs when a resource is checked for a particular state, but that state changes before the resource is actually used. This invalidates the original check and can be exploited by an attacker to escalate privileges, overwrite files, or bypass security controls. TOCTOU typically arises in scenarios involving shared mutable resources or concurrent operations (e.g., multithreading, multiprocessing, or filesystem access).

Remediation

Avoid branching logic based on mutable resources when a time gap exists between the check and the action.
Ensure atomic operations on resources wherever possible (e.g., use OS-provided system calls that combine check-and-use in one operation).
Apply proper locking or synchronisation primitives to prevent concurrent modification of shared resources.
For file operations, use secure APIs (e.g., open(O_CREAT|O_EXCL) on POSIX) that guarantee atomicity.

For more information refer to Steam Privilege Escalation mini course on SecDim Learn.

Metadata

Severity: medium
Slug: time-of-check-time-of-use

CWEs

367: Time-of-check Time-of-use (TOCTOU) Race Condition
362: Concurrent Execution using Shared Resource with Improper Synchronisation ('Race Condition')
366: Race Condition within a Thread

OWASP

A01:2021: Broken Access Control
A05:2021: Security Misconfiguration

Available Labs

Open Java labs in SecDim Play for this vulnerability.

hard

Steam.java

Java Hard Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.