Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1057 vulnerabilities reference this CWE, most recent first.

GHSA-4CCC-VVPW-P7R3

Vulnerability from github – Published: 2024-01-10 09:30 – Updated: 2024-01-18 18:30
VLAI
Details

MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to contain an infinite loop in the function av1_uvlc at media_tools/av_parsers.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T09:15:44Z",
    "severity": "MODERATE"
  },
  "details": "MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to contain an infinite loop in the function av1_uvlc at media_tools/av_parsers.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.",
  "id": "GHSA-4ccc-vvpw-p7r3",
  "modified": "2024-01-18T18:30:23Z",
  "published": "2024-01-10T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50120"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/2698"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4CPQ-G6GC-93VR

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

In Long Range Zip (aka lrzip) 0.631, there is an infinite loop in the runzip_fd function of runzip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-27T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Long Range Zip (aka lrzip) 0.631, there is an infinite loop in the runzip_fd function of runzip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.",
  "id": "GHSA-4cpq-g6gc-93vr",
  "modified": "2022-05-13T01:53:50Z",
  "published": "2022-05-13T01:53:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckolivas/lrzip/issues/93"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4G52-PMX3-V5C4

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:45
VLAI
Details

The DNS packet parser in YADIFA before 2.2.6 does not check for the presence of infinite pointer loops, and thus it is possible to force it to enter an infinite loop. This can cause high CPU usage and makes the server unresponsive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-20T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "The DNS packet parser in YADIFA before 2.2.6 does not check for the presence of infinite pointer loops, and thus it is possible to force it to enter an infinite loop. This can cause high CPU usage and makes the server unresponsive.",
  "id": "GHSA-4g52-pmx3-v5c4",
  "modified": "2025-04-20T03:45:33Z",
  "published": "2022-05-13T01:43:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14339"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yadifa/yadifa/blob/v2.2.6/ChangeLog"
    },
    {
      "type": "WEB",
      "url": "https://www.tarlogic.com/blog/fuzzing-yadifa-dns"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-4001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4G9R-VXHX-9PGX

Vulnerability from github – Published: 2024-02-19 09:30 – Updated: 2025-11-04 19:43
VLAI
Summary
Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.commons:commons-compress"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3"
            },
            {
              "fixed": "1.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-25710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-20T23:58:47Z",
    "nvd_published_at": "2024-02-19T09:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\n\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.",
  "id": "GHSA-4g9r-vxhx-9pgx",
  "modified": "2025-11-04T19:43:57Z",
  "published": "2024-02-19T09:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/commons-compress"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240307-0010"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Aug/37"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/02/19/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file"
}

GHSA-4GQH-QPVP-GFXV

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-openflow_v6.c had an infinite loop that was addressed by validating property lengths.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-23T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-openflow_v6.c had an infinite loop that was addressed by validating property lengths.",
  "id": "GHSA-4gqh-qpvp-gfxv",
  "modified": "2022-05-13T01:53:20Z",
  "published": "2022-05-13T01:53:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7327"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14420"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=563989f888e51258edb9a27db56124bdc33c9afe"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2018-06.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103158"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4H39-8H6H-93X3

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16
VLAI
Details

libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-16T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.",
  "id": "GHSA-4h39-8h6h-93x3",
  "modified": "2022-05-13T01:16:21Z",
  "published": "2022-05-13T01:16:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14567"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3739-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105198"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HXQ-XF3V-3JXV

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

A denial of service vulnerability was discovered in Samba's LDAP server before versions 4.7.12, 4.8.7, and 4.9.3. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-28T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability was discovered in Samba\u0027s LDAP server before versions 4.7.12, 4.8.7, and 4.9.3. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.",
  "id": "GHSA-4hxq-xf3v-3jxv",
  "modified": "2022-05-13T01:34:31Z",
  "published": "2022-05-13T01:34:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14629"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14629"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-52"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20181127-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3827-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3827-2"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4345"
    },
    {
      "type": "WEB",
      "url": "https://www.samba.org/samba/security/CVE-2018-14629.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4MM9-FMG4-Q68J

Vulnerability from github – Published: 2023-06-28 15:30 – Updated: 2023-06-28 15:30
VLAI
Details

A vulnerability in the Administrative XML Web Service (AXL) API of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of user-supplied input to the web UI of the Self Care Portal. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-28T15:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Administrative XML Web Service (AXL) API of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of user-supplied input to the web UI of the Self Care Portal. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device.",
  "id": "GHSA-4mm9-fmg4-q68j",
  "modified": "2023-06-28T15:30:23Z",
  "published": "2023-06-28T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20116"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-dos-4Ag3yWbD"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4P23-GP8G-G45X

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-04-20 03:38
VLAI
Details

libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to QPDFObjectHandle::parseInternal, aka qpdf-infiniteloop2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-23T04:29:00Z",
    "severity": "MODERATE"
  },
  "details": "libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to QPDFObjectHandle::parseInternal, aka qpdf-infiniteloop2.",
  "id": "GHSA-4p23-gp8g-g45x",
  "modified": "2025-04-20T03:38:11Z",
  "published": "2022-05-13T01:47:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9209"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/05/21/qpdf-three-infinite-loop-in-libqpdf"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3638-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PV3-63JW-4JW2

Vulnerability from github – Published: 2021-05-07 15:53 – Updated: 2022-10-07 20:41
VLAI
Summary
Missing Release of Memory after Effective Lifetime in Apache Tika
Details

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.24"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-9489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T22:53:02Z",
    "nvd_published_at": "2020-04-27T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A carefully crafted or corrupt file may trigger a System.exit in Tika\u0027s OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika\u0027s ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.",
  "id": "GHSA-4pv3-63jw-4jw2",
  "modified": "2022-10-07T20:41:22Z",
  "published": "2021-05-07T15:53:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tika/commit/0f4d5de0f85455e91433fb0b464ea0461d7c891d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tika"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/TIKA-3081"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5a07186cfa2442c%40%3Cdev.tika.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing Release of Memory after Effective Lifetime in Apache Tika"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.