{"id":"https://openalex.org/W7133313897","doi":"https://doi.org/10.48550/arxiv.2603.00476","title":"Atomicity for Agents: Exposing, Exploiting, and Mitigating TOCTOU Vulnerabilities in Browser-Use Agents","display_name":"Atomicity for Agents: Exposing, Exploiting, and Mitigating TOCTOU Vulnerabilities in Browser-Use Agents","publication_year":2026,"publication_date":"2026-02-28","ids":{"openalex":"https://openalex.org/W7133313897","doi":"https://doi.org/10.48550/arxiv.2603.00476"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.00476","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.00476","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.00476","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5029860118","display_name":"Linxi Jiang","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Jiang, Linxi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5127885555","display_name":"Zhijie Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Zhijie","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128023543","display_name":"Haotian Luo","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Luo, Haotian","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5127908204","display_name":"Zhiqiang Lin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lin, Zhiqiang","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5029860118"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.699999988079071,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.699999988079071,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.15719999372959137,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.027000000700354576,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7476000189781189},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.565500020980835},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.5443999767303467},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.47350001335144043},{"id":"https://openalex.org/keywords/unintended-consequences","display_name":"Unintended consequences","score":0.4043000042438507},{"id":"https://openalex.org/keywords/web-page","display_name":"Web page","score":0.38839998841285706},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.37630000710487366},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.35929998755455017},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.3522999882698059}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7878000140190125},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7476000189781189},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.567300021648407},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.565500020980835},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.5443999767303467},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.47350001335144043},{"id":"https://openalex.org/C2776889888","wikidata":"https://www.wikidata.org/wiki/Q1135789","display_name":"Unintended consequences","level":2,"score":0.4043000042438507},{"id":"https://openalex.org/C21959979","wikidata":"https://www.wikidata.org/wiki/Q36774","display_name":"Web page","level":2,"score":0.38839998841285706},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.37630000710487366},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.35929998755455017},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.3522999882698059},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.3452000021934509},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.33959999680519104},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.33559998869895935},{"id":"https://openalex.org/C40842320","wikidata":"https://www.wikidata.org/wiki/Q19423","display_name":"Buffer overflow","level":2,"score":0.3319000005722046},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.3174999952316284},{"id":"https://openalex.org/C2778751112","wikidata":"https://www.wikidata.org/wiki/Q835016","display_name":"Window (computing)","level":2,"score":0.3167000114917755},{"id":"https://openalex.org/C96865113","wikidata":"https://www.wikidata.org/wiki/Q2946816","display_name":"Certificate","level":2,"score":0.3102000057697296},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.3052000105381012},{"id":"https://openalex.org/C2778755073","wikidata":"https://www.wikidata.org/wiki/Q10858537","display_name":"Scale (ratio)","level":2,"score":0.3000999987125397},{"id":"https://openalex.org/C113954288","wikidata":"https://www.wikidata.org/wiki/Q186885","display_name":"Timestamp","level":2,"score":0.2930000126361847},{"id":"https://openalex.org/C188045909","wikidata":"https://www.wikidata.org/wiki/Q3306359","display_name":"Atomicity","level":3,"score":0.28859999775886536},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.28209999203681946},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.27970001101493835},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.27730000019073486},{"id":"https://openalex.org/C48145219","wikidata":"https://www.wikidata.org/wiki/Q1335365","display_name":"Security token","level":2,"score":0.26579999923706055},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.25870001316070557},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.25859999656677246},{"id":"https://openalex.org/C774472","wikidata":"https://www.wikidata.org/wiki/Q6760393","display_name":"Margin (machine learning)","level":2,"score":0.2563999891281128},{"id":"https://openalex.org/C100158260","wikidata":"https://www.wikidata.org/wiki/Q1650567","display_name":"Dynamic web page","level":3,"score":0.25380000472068787}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.00476","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.00476","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.00476","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.00476","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.7461732029914856,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Browser-use":[0],"agents":[1,38,90,110],"are":[2,116],"widely":[3],"used":[4],"for":[5],"everyday":[6],"tasks.":[7],"They":[8],"enable":[9],"automated":[10],"interaction":[11],"with":[12],"web":[13,29,68],"pages":[14,30],"through":[15],"structured":[16],"DOM":[17,129],"based":[18,42,123],"interfaces":[19],"or":[20,66],"vision":[21],"language":[22],"models":[23],"operating":[24],"on":[25,43,124],"page":[26,138],"screenshots.":[27],"However,":[28],"often":[31],"change":[32],"between":[33],"planning":[34,134],"and":[35,97,111,130,135,152],"execution,":[36],"causing":[37],"to":[39,56,74],"execute":[40],"actions":[41],"stale":[44],"assumptions.":[45],"We":[46,78,118],"view":[47],"this":[48,72,102],"temporal":[49],"mismatch":[50],"as":[51],"a":[52,80,92,120],"time":[53,57],"of":[54,58,85,149],"check":[55],"use":[59],"(TOCTOU)":[60],"vulnerability":[61],"in":[62,88,157],"browser-use":[63,89,158],"agents.":[64,159],"Dynamic":[65],"adversarial":[67],"content":[69],"can":[70],"exploit":[71],"window":[73],"induce":[75],"unintended":[76,154],"actions.":[77],"present":[79],"large":[81],"scale":[82],"empirical":[83],"study":[84],"TOCTOU":[86,114],"vulnerabilities":[87,115],"using":[91],"benchmark":[93],"that":[94,113],"spans":[95],"synthesized":[96],"real":[98],"world":[99],"websites.":[100],"Using":[101],"benchmark,":[103],"we":[104],"evaluate":[105],"10":[106],"popular":[107],"open":[108],"source":[109],"show":[112],"widespread.":[117],"design":[119],"lightweight":[121],"mitigation":[122],"pre-execution":[125],"validation.":[126],"It":[127],"monitors":[128],"layout":[131],"changes":[132],"during":[133],"validates":[136],"the":[137,147],"state":[139],"immediately":[140],"before":[141],"action":[142],"execution.":[143],"This":[144],"approach":[145],"reduces":[146],"risk":[148],"insecure":[150],"execution":[151],"mitigates":[153],"side":[155],"effects":[156]},"counts_by_year":[],"updated_date":"2026-03-04T07:09:34.246503","created_date":"2026-03-04T00:00:00"}