CWE-558 - Use of getlogin() in Multithreaded Application

• Abstraction:
• Variant

• Structure:
• Simple

• Status:
• Draft

Weakness Name

Use of getlogin() in Multithreaded Application

Description

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents are not locked out and the value of the string can be changed by another process. This makes it very risky to use because the username can be changed by other processes, so the results of the function cannot be trusted.

Common Consequences

Scope: Integrity, Access Control, Other

Impact: Modify Application Data, Bypass Protection Mechanism, Other

Related Weaknesses

CWE-663Use of a Non-reentrant Function in a Concurrent Context

• Release Date:
• 2006-07-19

• Latest Modification Date:
• 2023-10-26

Top Security News

Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411)

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

Microsoft fixes exploited zero-day (CVE-2024-49138)

Garmin GPS watches crashing, stuck in triangle 'reboot loop'

Lazarus Group Uses React-Based Admin Panel to Control Global Cyber Attacks

DeepSeek Jailbreak Reveals Its Entire System Prompt

Broadcom Patches VMware Aria Flaws – Exploits May Lead to Credential Theft

Windows Server 2025 released—here are the new features

Common Alerts

HighSQL Injection

InformationalSec-Fetch-Site Header is Missing

InformationalInformation Disclosure - JWT in Browser sessionStorage

LowServer Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

MediumApache Range Header DoS (CVE-2011-3192)

InformationalCSP: Header & Meta

LowStrict-Transport-Security Disabled

HighSource Code Disclosure - /WEB-INF Folder

HighSource Code Disclosure - CVE-2012-1823

MediumSpring Actuator Information Leak

Top CVE List

CVE-2024-49138 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability

CVE-2025-24085 Apple Multiple Products Use-After-Free Vulnerability

CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability

CVE-2015-6175 Microsoft Windows Kernel Privilege Escalation Vulnerability

CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

CVE-2024-38217 Microsoft Windows Mark of the Web (MOTW) Protection Mechanism Failure Vulnerability

CVE-2024-55591 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

CVE-2025-21335 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability

CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability

CVE-2012-5076 Oracle Java SE Sandbox Bypass Vulnerability

Common CWEs

HighCWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-1108 Excessive Reliance on Global Variables

CWE-164 Improper Neutralization of Internal Special Elements

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

MediumCWE-374 Passing Mutable Objects to an Untrusted Method

CWE-44 Path Equivalence: 'file.name' (Internal Dot)

CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

CWE-1394 Use of Default Cryptographic Key

CWE-489 Active Debug Code

CWE-280 Improper Handling of Insufficient Permissions or Privileges