CWE-386 - Symbolic Name not Mapping to Correct Object
- Abstraction:Base
- Structure:Simple
- Status:Draft
- Release Date:2006-07-19
- Latest Modification Date:2023-06-29
Weakness Name
Symbolic Name not Mapping to Correct Object
Description
A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.
Common Consequences
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: The attacker can gain access to otherwise unauthorized resources.
Scope: Integrity, Confidentiality, Other
Impact: Modify Application Data, Modify Files or Directories, Read Application Data, Read Files or Directories, Other
Notes: Race conditions such as this kind may be employed to gain read or write access to resources not normally readable or writable by the user in question.
Scope: Integrity, Other
Impact: Modify Application Data, Other
Notes: The resource in question, or other resources (through the corrupted one) may be changed in undesirable ways by a malicious user.
Scope: Non-Repudiation
Impact: Hide Activities
Notes: If a file or other resource is written in this method, as opposed to a valid way, logging of the activity may not occur.
Scope: Non-Repudiation, Integrity
Impact: Modify Files or Directories
Notes: In some cases it may be possible to delete files that a malicious user might not otherwise have access to -- such as log files.
Related Weaknesses
CWE-367Time-of-check Time-of-use (TOCTOU) Race ConditionMedium
CWE-486Comparison of Classes by NameHigh
CWE-610Externally Controlled Reference to a Resource in Another Sphere
Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code
Max severity RCE flaw discovered in widely used Apache Parquet
Hunters International shifts from ransomware to pure data extortion
CISA warns of Fast Flux DNS evasion used by cybercrime gangs
Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
Ivanti patches Connect Secure zero-day exploited since mid-March
Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives