CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1057 vulnerabilities reference this CWE, most recent first.
GHSA-4CCC-VVPW-P7R3
Vulnerability from github – Published: 2024-01-10 09:30 – Updated: 2024-01-18 18:30MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to contain an infinite loop in the function av1_uvlc at media_tools/av_parsers.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
{
"affected": [],
"aliases": [
"CVE-2023-50120"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-10T09:15:44Z",
"severity": "MODERATE"
},
"details": "MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to contain an infinite loop in the function av1_uvlc at media_tools/av_parsers.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.",
"id": "GHSA-4ccc-vvpw-p7r3",
"modified": "2024-01-18T18:30:23Z",
"published": "2024-01-10T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50120"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/2698"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4CPQ-G6GC-93VR
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53In Long Range Zip (aka lrzip) 0.631, there is an infinite loop in the runzip_fd function of runzip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.
{
"affected": [],
"aliases": [
"CVE-2018-9058"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-27T21:29:00Z",
"severity": "MODERATE"
},
"details": "In Long Range Zip (aka lrzip) 0.631, there is an infinite loop in the runzip_fd function of runzip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.",
"id": "GHSA-4cpq-g6gc-93vr",
"modified": "2022-05-13T01:53:50Z",
"published": "2022-05-13T01:53:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9058"
},
{
"type": "WEB",
"url": "https://github.com/ckolivas/lrzip/issues/93"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4G52-PMX3-V5C4
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:45The DNS packet parser in YADIFA before 2.2.6 does not check for the presence of infinite pointer loops, and thus it is possible to force it to enter an infinite loop. This can cause high CPU usage and makes the server unresponsive.
{
"affected": [],
"aliases": [
"CVE-2017-14339"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-20T16:29:00Z",
"severity": "HIGH"
},
"details": "The DNS packet parser in YADIFA before 2.2.6 does not check for the presence of infinite pointer loops, and thus it is possible to force it to enter an infinite loop. This can cause high CPU usage and makes the server unresponsive.",
"id": "GHSA-4g52-pmx3-v5c4",
"modified": "2025-04-20T03:45:33Z",
"published": "2022-05-13T01:43:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14339"
},
{
"type": "WEB",
"url": "https://github.com/yadifa/yadifa/blob/v2.2.6/ChangeLog"
},
{
"type": "WEB",
"url": "https://www.tarlogic.com/blog/fuzzing-yadifa-dns"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-4001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4G9R-VXHX-9PGX
Vulnerability from github – Published: 2024-02-19 09:30 – Updated: 2025-11-04 19:43Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.commons:commons-compress"
},
"ranges": [
{
"events": [
{
"introduced": "1.3"
},
{
"fixed": "1.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25710"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-20T23:58:47Z",
"nvd_published_at": "2024-02-19T09:15:37Z",
"severity": "MODERATE"
},
"details": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\n\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.",
"id": "GHSA-4g9r-vxhx-9pgx",
"modified": "2025-11-04T19:43:57Z",
"published": "2024-02-19T09:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-compress"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240307-0010"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Aug/37"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/19/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file"
}
GHSA-4GQH-QPVP-GFXV
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-openflow_v6.c had an infinite loop that was addressed by validating property lengths.
{
"affected": [],
"aliases": [
"CVE-2018-7327"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-23T22:29:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-openflow_v6.c had an infinite loop that was addressed by validating property lengths.",
"id": "GHSA-4gqh-qpvp-gfxv",
"modified": "2022-05-13T01:53:20Z",
"published": "2022-05-13T01:53:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7327"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14420"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=563989f888e51258edb9a27db56124bdc33c9afe"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2018-06.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4H39-8H6H-93X3
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
{
"affected": [],
"aliases": [
"CVE-2018-14567"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-16T20:29:00Z",
"severity": "MODERATE"
},
"details": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.",
"id": "GHSA-4h39-8h6h-93x3",
"modified": "2022-05-13T01:16:21Z",
"published": "2022-05-13T01:16:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14567"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3739-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105198"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HXQ-XF3V-3JXV
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34A denial of service vulnerability was discovered in Samba's LDAP server before versions 4.7.12, 4.8.7, and 4.9.3. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.
{
"affected": [],
"aliases": [
"CVE-2018-14629"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-28T14:29:00Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability was discovered in Samba\u0027s LDAP server before versions 4.7.12, 4.8.7, and 4.9.3. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.",
"id": "GHSA-4hxq-xf3v-3jxv",
"modified": "2022-05-13T01:34:31Z",
"published": "2022-05-13T01:34:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14629"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14629"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00005.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-52"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20181127-0001"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3827-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3827-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4345"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/security/CVE-2018-14629.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4MM9-FMG4-Q68J
Vulnerability from github – Published: 2023-06-28 15:30 – Updated: 2023-06-28 15:30A vulnerability in the Administrative XML Web Service (AXL) API of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of user-supplied input to the web UI of the Self Care Portal. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device.
{
"affected": [],
"aliases": [
"CVE-2023-20116"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-28T15:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Administrative XML Web Service (AXL) API of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of user-supplied input to the web UI of the Self Care Portal. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device.",
"id": "GHSA-4mm9-fmg4-q68j",
"modified": "2023-06-28T15:30:23Z",
"published": "2023-06-28T15:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20116"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-dos-4Ag3yWbD"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4P23-GP8G-G45X
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-04-20 03:38libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to QPDFObjectHandle::parseInternal, aka qpdf-infiniteloop2.
{
"affected": [],
"aliases": [
"CVE-2017-9209"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-23T04:29:00Z",
"severity": "MODERATE"
},
"details": "libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to QPDFObjectHandle::parseInternal, aka qpdf-infiniteloop2.",
"id": "GHSA-4p23-gp8g-g45x",
"modified": "2025-04-20T03:38:11Z",
"published": "2022-05-13T01:47:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9209"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/05/21/qpdf-three-infinite-loop-in-libqpdf"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3638-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4PV3-63JW-4JW2
Vulnerability from github – Published: 2021-05-07 15:53 – Updated: 2022-10-07 20:41A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.24"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tika:tika"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-9489"
],
"database_specific": {
"cwe_ids": [
"CWE-401",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T22:53:02Z",
"nvd_published_at": "2020-04-27T14:15:00Z",
"severity": "MODERATE"
},
"details": "A carefully crafted or corrupt file may trigger a System.exit in Tika\u0027s OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika\u0027s ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.",
"id": "GHSA-4pv3-63jw-4jw2",
"modified": "2022-10-07T20:41:22Z",
"published": "2021-05-07T15:53:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9489"
},
{
"type": "WEB",
"url": "https://github.com/apache/tika/commit/0f4d5de0f85455e91433fb0b464ea0461d7c891d"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tika"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/TIKA-3081"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5a07186cfa2442c%40%3Cdev.tika.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Missing Release of Memory after Effective Lifetime in Apache Tika"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.