cwe-362-race-condition
CWE-362 Race Condition
Description
Race Condition
Reference: https://cwe.mitre.org/data/definitions/362.html
OWASP Category: A04:2021 – Insecure Design
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: Race condition in check-then-act
private int counter = 0;
public void increment() {
if (counter < MAX_VALUE) {
counter++; // Race condition
}
}
Why it's vulnerable: This pattern is vulnerable to Race Condition
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Use AtomicInteger for thread-safe operations
private AtomicInteger counter = new AtomicInteger(0);
public void increment() {
counter.updateAndGet(c -> Math.min(c + 1, MAX_VALUE));
}
// Or use synchronization
private final Object lock = new Object();
public void incrementSynchronized() {
synchronized (lock) {
if (counter < MAX_VALUE) {
counter++;
}
}
}
Why it's secure: Implements proper protection against Race Condition
Detection Pattern
Look for these patterns in your codebase:
# Find unsynchronized increment
grep -rn "++\\|--" --include="*.java" | grep -v "synchronized\\|Atomic"
Remediation Steps
-
Use atomic variables for simple counters
-
Use synchronized blocks for complex operations
-
Consider using concurrent collections
-
Use ReentrantLock for more control
Key Imports
import java.util.concurrent.atomic.AtomicInteger;
Verification
After remediation:
-
Run SAST scanner to confirm vulnerability is resolved
-
Review all instances of the vulnerable pattern
-
Add unit tests that verify the secure implementation
-
Check for similar patterns in related code
Trigger Examples
Fix CWE-362 vulnerability
Resolve Race Condition issue
Secure this Java code against race condition
SAST reports CWE-362
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07