cwe-833-deadlock
CWE-833 Deadlock
Description
Deadlock
Reference: https://cwe.mitre.org/data/definitions/833.html
OWASP Category: A04:2021 – Insecure Design
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: Potential deadlock - different lock ordering
public void transferMoney(Account from, Account to, int amount) {
synchronized (from) {
synchronized (to) {
from.withdraw(amount);
to.deposit(amount);
}
}
}
Why it's vulnerable: This pattern is vulnerable to Deadlock
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Consistent lock ordering
public void transferMoney(Account from, Account to, int amount) {
Account first = from.getId() < to.getId() ? from : to;
Account second = from.getId() < to.getId() ? to : from;
synchronized (first) {
synchronized (second) {
from.withdraw(amount);
to.deposit(amount);
}
}
}
Why it's secure: Implements proper protection against Deadlock
Detection Pattern
Look for these patterns in your codebase:
# Find nested synchronized
grep -rn "synchronized.*{" --include="*.java" -A10 | grep "synchronized"
Remediation Steps
-
Always acquire locks in consistent order
-
Use Lock.tryLock() with timeout
-
Consider lock-free data structures
-
Use higher-level concurrency utilities
Key Imports
import java.util.concurrent.locks.Lock;
Verification
After remediation:
-
Run SAST scanner to confirm vulnerability is resolved
-
Review all instances of the vulnerable pattern
-
Add unit tests that verify the secure implementation
-
Check for similar patterns in related code
Trigger Examples
Fix CWE-833 vulnerability
Resolve Deadlock issue
Secure this Java code against deadlock
SAST reports CWE-833
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07