(no title)

https://en.cppreference.com/w/cpp/filesystem

> The behavior is undefined if the calls to functions in this library introduce a file system race, that is, when multiple threads, processes, or computers interleave access and modification to the same object in a file system.

---

Golang also seems vulnerable to the same issue

https://github.com/golang/go/blob/d15481b8c7f5f73a8b987a0c1d...

Line 78 checks that the path isn't a symlink (time-of-check). Then line 97 calls openFdAt which on line 174 opens the path by name, without NOFOLLOW (time-of-use).

I bet this is a pretty common vulnerability.