CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-JGX8-H977-4WFH
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-23 21:30In the Linux kernel, the following vulnerability has been resolved:
riscv: VMAP_STACK overflow detection thread-safe
commit 31da94c25aea ("riscv: add VMAP_STACK overflow detection") added
support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to
shadow_stack temporarily before switching finally to per-cpu
overflow_stack.
If two CPUs/harts are racing and end up in over flowing kernel stack, one
or both will end up corrupting each other state because shadow_stack is
not per-cpu. This patch optimizes per-cpu overflow stack switch by
directly picking per-cpu overflow_stack and gets rid of shadow_stack.
Following are the changes in this patch
- Defines an asm macro to obtain per-cpu symbols in destination register.
- In entry.S, when overflow is detected, per-cpu overflow stack is located using per-cpu asm macro. Computing per-cpu symbol requires a temporary register. x31 is saved away into CSR_SCRATCH (CSR_SCRATCH is anyways zero since we're in kernel).
Please see Links for additional relevant disccussion and alternative solution.
Tested by echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT
Kernel crash log below
Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT Task stack: [0xff20000010a98000..0xff20000010a9c000] Overflow stack: [0xff600001f7d98370..0xff600001f7d99370] CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT) epc : __memset+0x60/0xfc ra : recursive_loop+0x48/0xc6 [lkdtm] epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80 gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88 t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0 s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000 a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000 a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90 s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684 s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10 s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4 t5 : ffffffff815dbab8 t6 : ff20000010a9bb48 status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f Kernel panic - not syncing: Kernel stack overflow CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x30/0x38 [] show_stack+0x40/0x4c [] dump_stack_lvl+0x44/0x5c [] dump_stack+0x18/0x20 [] panic+0x126/0x2fe [] walk_stackframe+0x0/0xf0 [] recursive_loop+0x48/0xc6 [lkdtm] SMP: stopping secondary CPUs ---[ end Kernel panic - not syncing: Kernel stack overflow ]---
{
"affected": [],
"aliases": [
"CVE-2023-52761"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we\u0027re in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK \u003e /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [\u003cffffffff80006754\u003e] dump_backtrace+0x30/0x38\n [\u003cffffffff808de798\u003e] show_stack+0x40/0x4c\n [\u003cffffffff808ea2a8\u003e] dump_stack_lvl+0x44/0x5c\n [\u003cffffffff808ea2d8\u003e] dump_stack+0x18/0x20\n [\u003cffffffff808dec06\u003e] panic+0x126/0x2fe\n [\u003cffffffff800065ea\u003e] walk_stackframe+0x0/0xf0\n [\u003cffffffff0163a752\u003e] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---",
"id": "GHSA-jgx8-h977-4wfh",
"modified": "2025-09-23T21:30:53Z",
"published": "2024-05-21T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52761"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHXW-FQXP-J75J
Vulnerability from github – Published: 2022-05-01 17:52 – Updated: 2025-04-09 03:38The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.
{
"affected": [],
"aliases": [
"CVE-2007-1285"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-03-06T20:19:00Z",
"severity": "MODERATE"
},
"details": "The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.",
"id": "GHSA-jhxw-fqxp-j75j",
"modified": "2025-04-09T03:38:31Z",
"published": "2022-05-01T17:52:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1285"
},
{
"type": "WEB",
"url": "https://issues.rpath.com/browse/RPL-1268"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/173043"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11017"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/549-1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2007-07/msg00006.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2007-0154.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2007-0155.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2007-0163.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/24909"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/24910"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/24924"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/24941"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/24945"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/25445"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26048"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26642"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27864"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28936"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200705-19.xml"
},
{
"type": "WEB",
"url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2008\u0026m=slackware-security.335136"
},
{
"type": "WEB",
"url": "http://us2.php.net/releases/4_4_7.php"
},
{
"type": "WEB",
"url": "http://us2.php.net/releases/5_2_2.php"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:087"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:088"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:089"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:090"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/32769"
},
{
"type": "WEB",
"url": "http://www.php-security.org/MOPB/MOPB-03-2007.html"
},
{
"type": "WEB",
"url": "http://www.php.net/ChangeLog-4.php"
},
{
"type": "WEB",
"url": "http://www.php.net/ChangeLog-5.php#5.2.4"
},
{
"type": "WEB",
"url": "http://www.php.net/releases/4_4_8.php"
},
{
"type": "WEB",
"url": "http://www.php.net/releases/5_2_4.php"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0082.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0162.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/466166/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/22764"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1017771"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-549-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJWC-P294-59XW
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 15:30Monero protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
{
"affected": [],
"aliases": [
"CVE-2026-5409"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T07:16:38Z",
"severity": "MODERATE"
},
"details": "Monero protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
"id": "GHSA-jjwc-p294-59xw",
"modified": "2026-04-30T15:30:39Z",
"published": "2026-04-30T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5409"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/21066"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/work_items/21066"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2026-08.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPVF-6235-4RH8
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Fix signed integer truncation in IPC receive
Fix potential buffer overflow where firmware-supplied data_size is cast to signed int before being used in min_t(). Large unsigned values (>= 0x80000000) become negative, causing unsigned wraparound and oversized memcpy operations that can overflow the stack buffer.
Change min_t(int, ...) to min() as both values are unsigned and can be handled by min() without explicit cast.
{
"affected": [],
"aliases": [
"CVE-2026-53202"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:37Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix signed integer truncation in IPC receive\n\nFix potential buffer overflow where firmware-supplied data_size is cast\nto signed int before being used in min_t(). Large unsigned values\n(\u003e= 0x80000000) become negative, causing unsigned wraparound and\noversized memcpy operations that can overflow the stack buffer.\n\nChange min_t(int, ...) to min() as both values are unsigned and can be\nhandled by min() without explicit cast.",
"id": "GHSA-jpvf-6235-4rh8",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-25T09:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53202"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53202"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492823"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2821bf2b79e47f87e1dbdd9d25c78240965a97d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/45cb105b8642c65e9be286f7058e92314efe7ea3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4788556d4dd9d717037e385de178974e9649231d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9faef564438d1e4579c692c046603e7ada7bdf4"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53202.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPVX-HR4H-P665
Vulnerability from github – Published: 2022-10-07 00:00 – Updated: 2022-10-11 19:00It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. This condition was only possible to trigger in dev-mode (when asserts were enabled). This issue affects Hermes versions prior to v0.12.0.
{
"affected": [],
"aliases": [
"CVE-2022-27810"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-06T20:15:00Z",
"severity": "HIGH"
},
"details": "It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. This condition was only possible to trigger in dev-mode (when asserts were enabled). This issue affects Hermes versions prior to v0.12.0.",
"id": "GHSA-jpvx-hr4h-p665",
"modified": "2022-10-11T19:00:27Z",
"published": "2022-10-07T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27810"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2022-27810"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQPV-H2G7-5CMM
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 09:30ASN.1 PER protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
{
"affected": [],
"aliases": [
"CVE-2026-6527"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T07:16:39Z",
"severity": "MODERATE"
},
"details": "ASN.1 PER protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
"id": "GHSA-jqpv-h2g7-5cmm",
"modified": "2026-04-30T09:30:25Z",
"published": "2026-04-30T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6527"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/work_items/21149"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2026-34.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR27-M4P2-RC6R
Vulnerability from github – Published: 2026-03-17 16:17 – Updated: 2026-05-01 18:31Summary
The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application.
Details
The vulnerability exists because the decoder iterates through the input stream and recursively calls decodeFun (the decoding callback) for every nested component found, without tracking or limiting the recursion depth.
Vulnerable Code Locations:
1. indefLenValueDecoder (Line 998):
for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):
This method handles indefinite-length constructed types. It sits inside a while True loop and recursively calls the decoder for every nested tag.
-
valueDecoder(Lines 786 and 907):for component in decodeFun(substrate, componentType, **options):This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components ofSEQUENCEorSETtypes. Line 907: Recursively decodes elements ofSEQUENCE OForSET OFtypes. -
_decodeComponentsSchemaless(Line 661):for component in decodeFun(substrate, **options):This method handles decoding when no schema is provided.
In all three cases, decodeFun is invoked without passing a depth parameter or checking against a global MAX_ASN1_NESTING limit.
PoC
import sys
from pyasn1.codec.ber import decoder
sys.setrecursionlimit(100000)
print("[*] Generating Recursion Bomb Payload...")
depth = 50_000
chunk = b'\x30\x80'
payload = chunk * depth
print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering Decoder...")
try:
decoder.decode(payload)
except RecursionError:
print("[!] Crashed: Recursion Limit Hit")
except MemoryError:
print("[!] Crashed: Out of Memory")
except Exception as e:
print(f"[!] Crashed: {e}")
[*] Payload size: 9.77 KB
[*] Triggering Decoder...
[!] Crashed: Recursion Limit Hit
Impact
- This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.
- Service Crash: Any service using
pyasn1to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely. - Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.
Credits
Vulnerability discovered by Kevin Tu of TMIR at ByteDance.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.2"
},
"package": {
"ecosystem": "PyPI",
"name": "pyasn1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30922"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T16:17:33Z",
"nvd_published_at": "2026-03-18T04:17:18Z",
"severity": "HIGH"
},
"details": "### Summary\nThe `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with Indefinite Length (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application.\n\n### Details\nThe vulnerability exists because the decoder iterates through the input stream and recursively calls `decodeFun` (the decoding callback) for every nested component found, without tracking or limiting the recursion depth.\nVulnerable Code Locations:\n1. `indefLenValueDecoder` (Line 998):\n```for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):```\nThis method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag.\n\n2. `valueDecoder` (Lines 786 and 907):\n```for component in decodeFun(substrate, componentType, **options):```\nThis method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of `SEQUENCE` or `SET` types. Line 907: Recursively decodes elements of `SEQUENCE OF` or `SET OF` types.\n\n4. `_decodeComponentsSchemaless` (Line 661):\n```for component in decodeFun(substrate, **options):```\nThis method handles decoding when no schema is provided.\n\nIn all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit.\n\n### PoC\n```\nimport sys\nfrom pyasn1.codec.ber import decoder\n\nsys.setrecursionlimit(100000)\n\nprint(\"[*] Generating Recursion Bomb Payload...\")\ndepth = 50_000\nchunk = b\u0027\\x30\\x80\u0027 \npayload = chunk * depth\n\nprint(f\"[*] Payload size: {len(payload) / 1024:.2f} KB\")\nprint(\"[*] Triggering Decoder...\")\n\ntry:\n decoder.decode(payload)\nexcept RecursionError:\n print(\"[!] Crashed: Recursion Limit Hit\")\nexcept MemoryError:\n print(\"[!] Crashed: Out of Memory\")\nexcept Exception as e:\n print(f\"[!] Crashed: {e}\")\n```\n\n```\n[*] Payload size: 9.77 KB\n[*] Triggering Decoder...\n[!] Crashed: Recursion Limit Hit\n```\n\n### Impact\n- This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (\u003c100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.\n- Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.\n- Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (\u003c200KB) can consume hundreds of megabytes of RAM or exhaust the stack.\n\n### Credits\nVulnerability discovered by Kevin Tu of TMIR at ByteDance.",
"id": "GHSA-jr27-m4p2-rc6r",
"modified": "2026-05-01T18:31:19Z",
"published": "2026-03-17T16:17:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30922"
},
{
"type": "WEB",
"url": "https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0"
},
{
"type": "WEB",
"url": "https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyasn1/pyasn1"
},
{
"type": "WEB",
"url": "https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/20/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in pyasn1 via Unbounded Recursion"
}
GHSA-JR7H-C43F-FRMR
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03Stack overflow vulnerability in parse_array Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2020-18392"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-28T21:15:00Z",
"severity": "MODERATE"
},
"details": "Stack overflow vulnerability in parse_array Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.",
"id": "GHSA-jr7h-c43f-frmr",
"modified": "2022-05-24T19:03:36Z",
"published": "2022-05-24T19:03:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18392"
},
{
"type": "WEB",
"url": "https://github.com/cesanta/mjs/issues/106"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/674.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JV2J-MQMW-XVV5
Vulnerability from github – Published: 2026-06-19 22:10 – Updated: 2026-06-19 22:10An authenticated user could crash a SurrealDB server with a single query containing a long chain of operators.
Such a query — for example RETURN 1 + 1 + 1 + ... with tens of thousands of terms — is parsed into an expression tree one level deep per operator. Because the chain is flat and the pratt parser appends to it iteratively, the configured query- and object-recursion limits never fire, so the tree grows unbounded with the length of the query.
The root cause: the over-deep tree is later walked recursively, one call per node, when it is dropped, formatted, or lowered for execution — overflowing the thread stack and aborting the process.
Impact
An authenticated user with query-execution privileges can crash a SurrealDB server with a single query containing a long chain of operators. The whole process aborts, denying service to every namespace and database on that instance until it is restarted. The crash occurs during query processing, before any data is read or written (availability only).
Patches
A patch introduces a dedicated expression-depth budget — expr_recursion_limit, sourced from max_expression_parsing_depth (default 128, configurable via SURREAL_MAX_EXPRESSION_PARSING_DEPTH). It is charged once per pratt-parser level and once per operator appended to the spine, so an over-deep operator chain is rejected with a syntax error instead of building a tree that overflows the stack downstream. Paths that re-parse already-validated stored data are exempted, so existing databases with deep stored expressions still load.
- Versions 3.1.5 and later are not affected by this issue.
Workarounds
Users unable to patch should consider the following workarounds:
- Restrict the ability of untrusted users to execute arbitrary queries via the
--deny-arbitrary-querycapability flag for the affected user classes (guest, record, or system). - Restrict untrusted access to the WebSocket
/rpcendpoint, which accepts larger request bodies than the HTTP/sqlendpoint. The/sqlendpoint's 1 MiB body limit lowers the achievable operator depth but does not by itself guarantee the stack cannot be exhausted. - Run SurrealDB under an orchestrator or process manager that restarts it automatically on exit (e.g. Kubernetes, systemd
Restart=on-failure, or a Docker restart policy), so the server recovers immediately after a crash. This limits downtime from a successful attack but does not prevent the crash.
References
- SurrealQL Documentation — Operators
fix(syn): bound expression operator-tree depth to prevent stack-overflow DoS
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T22:10:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "An authenticated user could crash a SurrealDB server with a single query containing a long chain of operators.\n\nSuch a query \u2014 for example `RETURN 1 + 1 + 1 + ...` with tens of thousands of terms \u2014 is parsed into an expression tree one level deep per operator. Because the chain is flat and the pratt parser appends to it iteratively, the configured query- and object-recursion limits never fire, so the tree grows unbounded with the length of the query.\n\nThe root cause: the over-deep tree is later walked recursively, one call per node, when it is dropped, formatted, or lowered for execution \u2014 overflowing the thread stack and aborting the process.\n\n### Impact\n\nAn authenticated user with query-execution privileges can crash a SurrealDB server with a single query containing a long chain of operators. The whole process aborts, denying service to every namespace and database on that instance until it is restarted. The crash occurs during query processing, before any data is read or written (availability only).\n\n### Patches\n\nA patch introduces a dedicated expression-depth budget \u2014 `expr_recursion_limit`, sourced from `max_expression_parsing_depth` (default 128, configurable via `SURREAL_MAX_EXPRESSION_PARSING_DEPTH`). It is charged once per pratt-parser level and once per operator appended to the spine, so an over-deep operator chain is rejected with a syntax error instead of building a tree that overflows the stack downstream. Paths that re-parse already-validated stored data are exempted, so existing databases with deep stored expressions still load.\n\n- Versions 3.1.5 and later are not affected by this issue.\n\n### Workarounds\n\nUsers unable to patch should consider the following workarounds:\n\n- Restrict the ability of untrusted users to execute arbitrary queries via the `--deny-arbitrary-query` capability flag for the affected user classes (guest, record, or system).\n- Restrict untrusted access to the WebSocket `/rpc` endpoint, which accepts larger request bodies than the HTTP `/sql` endpoint. The `/sql` endpoint\u0027s 1 MiB body limit lowers the achievable operator depth but does not by itself guarantee the stack cannot be exhausted.\n- Run SurrealDB under an orchestrator or process manager that restarts it automatically on exit (e.g. Kubernetes, systemd `Restart=on-failure`, or a Docker restart policy), so the server recovers immediately after a crash. This limits downtime from a successful attack but does not prevent the crash.\n\n### References\n\n- [SurrealQL Documentation \u2014 Operators](https://surrealdb.com/docs/surrealql/operators)\n- `fix(syn): bound expression operator-tree depth to prevent stack-overflow DoS`",
"id": "GHSA-jv2j-mqmw-xvv5",
"modified": "2026-06-19T22:10:55Z",
"published": "2026-06-19T22:10:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-jv2j-mqmw-xvv5"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SurrealDB: Denial of Service via deep operator chains"
}
GHSA-JVCG-848P-WJGF
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-26 21:30In the Linux kernel, the following vulnerability has been resolved:
nbd: fix incomplete validation of ioctl arg
We tested and found an alarm caused by nbd_ioctl arg without verification. The UBSAN warning calltrace like below:
UBSAN: Undefined behaviour in fs/buffer.c:1709:35 signed integer overflow: -9223372036854775808 - 1 cannot be represented in type 'long long int' CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78 show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x170/0x1dc lib/dump_stack.c:118 ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161 handle_overflow+0x188/0x1dc lib/ubsan.c:192 __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206 __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709 block_write_full_page+0x1f0/0x280 fs/buffer.c:2934 blkdev_writepage+0x34/0x40 fs/block_dev.c:607 __writepage+0x68/0xe8 mm/page-writeback.c:2305 write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240 generic_writepages+0xdc/0x148 mm/page-writeback.c:2329 blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114 do_writepages+0xd4/0x250 mm/page-writeback.c:2344
The reason for triggering this warning is __block_write_full_page() -> i_size_read(inode) - 1 overflow. inode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize. We think it is necessary to limit the size of arg to prevent errors.
Moreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int. Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine), it will become 1 after the coercion, which will return unexpected results.
Fix it by adding checks to prevent passing in too large numbers.
{
"affected": [],
"aliases": [
"CVE-2023-53513"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:55Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix incomplete validation of ioctl arg\n\nWe tested and found an alarm caused by nbd_ioctl arg without verification.\nThe UBSAN warning calltrace like below:\n\nUBSAN: Undefined behaviour in fs/buffer.c:1709:35\nsigned integer overflow:\n-9223372036854775808 - 1 cannot be represented in type \u0027long long int\u0027\nCPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78\n show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x170/0x1dc lib/dump_stack.c:118\n ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161\n handle_overflow+0x188/0x1dc lib/ubsan.c:192\n __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206\n __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709\n block_write_full_page+0x1f0/0x280 fs/buffer.c:2934\n blkdev_writepage+0x34/0x40 fs/block_dev.c:607\n __writepage+0x68/0xe8 mm/page-writeback.c:2305\n write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240\n generic_writepages+0xdc/0x148 mm/page-writeback.c:2329\n blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114\n do_writepages+0xd4/0x250 mm/page-writeback.c:2344\n\nThe reason for triggering this warning is __block_write_full_page()\n-\u003e i_size_read(inode) - 1 overflow.\ninode-\u003ei_size is assigned in __nbd_ioctl() -\u003e nbd_set_size() -\u003e bytesize.\nWe think it is necessary to limit the size of arg to prevent errors.\n\nMoreover, __nbd_ioctl() -\u003e nbd_add_socket(), arg will be cast to int.\nAssuming the value of arg is 0x80000000000000001) (on a 64-bit machine),\nit will become 1 after the coercion, which will return unexpected results.\n\nFix it by adding checks to prevent passing in too large numbers.",
"id": "GHSA-jvcg-848p-wjgf",
"modified": "2026-01-26T21:30:30Z",
"published": "2025-10-01T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53513"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52851d0c3354b397c11d31dfeb8b2a2fc85a0002"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/55793ea54d77719a071b1ccc05a05056e3b5e009"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fab766c8a1aff715bce7075aab40e780266f8e1a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffb75ffaa68723276365d0f9d00b03362b750657"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.