Wind River Studio Developer Race Condition Vulnerability Allowing Token Misallocation and Impersonation

A race condition vulnerability has been identified in Wind River Studio Developer version 24.11. Under heavy system load, this flaw can occur during authentication or token refresh operations, allowing one user to inadvertently receive a token intended for another user. This misallocation of tokens can lead to unauthorized impersonation until the affected session is terminated. The vulnerability arises from a random race condition that cannot be intentionally exploited, as it requires concurrent actions from two users. However, if it occurs, it exposes the affected user to another user's system rights and data access.

Impact

Exploitation of this vulnerability allows for session hijacking, where a user can gain access to another user's session, including their rights and data, until the session ends.

Remediation

Users experiencing instability issues in Wind River Studio Developer 24.11 are advised to log out and log back in. Wind River has released a patch for this vulnerability in version 25.05 patch 5. Customers should upgrade to this version and apply all updates and patches.