TOCTOU Vulnerability
What is TOCTOU Vulnerability?
TOCTOU VulnerabilityA time-of-check to time-of-use race condition where the state checked by a security decision is changed before the corresponding action is performed.
A TOCTOU vulnerability (Time-Of-Check to Time-Of-Use, CWE-367) is a specific kind of race condition where a program checks a property of a resource (file ownership, permissions, content) and then operates on that resource as if the check is still valid. An attacker who can swap the resource between the two steps — typically using symlinks, renames or shared memory — bypasses the check entirely. The classic example is access() followed by open(): the attacker replaces the path with a symlink to /etc/shadow after access() returns success. Defences include filesystem APIs that combine check and use (openat with O_NOFOLLOW, fstat), holding file descriptors instead of paths, file locking, and stricter sandbox boundaries.
● Examples
- 01
Setuid program that checks file ownership with stat() and then opens the path.
- 02
Container escape via TOCTOU on bind-mount paths.
● Frequently asked questions
What is TOCTOU Vulnerability?
A time-of-check to time-of-use race condition where the state checked by a security decision is changed before the corresponding action is performed. It belongs to the Vulnerabilities category of cybersecurity.
What does TOCTOU Vulnerability mean?
A time-of-check to time-of-use race condition where the state checked by a security decision is changed before the corresponding action is performed.
How do you defend against TOCTOU Vulnerability?
Defences for TOCTOU Vulnerability typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for TOCTOU Vulnerability?
Common alternative names include: Time-of-check time-of-use, TOCTTOU.