Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1062 vulnerabilities reference this CWE, most recent first.

GHSA-7VGW-QF5J-7533

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2022-06-03 00:01
VLAI
Details

Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service. This is related to zipheadio.h:readUint32() and zipfile.cpp:Zipfile::Zipfile().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-17T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service. This is related to zipheadio.h:readUint32() and zipfile.cpp:Zipfile::Zipfile().",
  "id": "GHSA-7vgw-qf5j-7533",
  "modified": "2022-06-03T00:01:41Z",
  "published": "2022-05-24T16:50:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13453"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00041.html"
    },
    {
      "type": "WEB",
      "url": "https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-2-of-3"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/109282"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7W3M-9PFQ-8M82

Vulnerability from github – Published: 2025-03-04 03:31 – Updated: 2025-04-10 21:31
VLAI
Details

In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS).  There is no control plane exposure; this is a data plane issue only.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-04T01:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization.  This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). \u00a0There is no control plane exposure; this is a data plane issue only. \u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-7w3m-9pfq-8m82",
  "modified": "2025-04-10T21:31:07Z",
  "published": "2025-03-04T03:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1695"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000149959"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7WPV-4QH2-R4FV

Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30
VLAI
Details

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T16:15:23Z",
    "severity": "HIGH"
  },
  "details": "An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.",
  "id": "GHSA-7wpv-4qh2-r4fv",
  "modified": "2024-11-12T18:30:56Z",
  "published": "2024-11-12T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50320"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-Multiple-CVEs-Q4-2024-Release"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7X3M-MXJP-769R

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-lltd.c had an infinite loop that was addressed by using a correct integer data type.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-23T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-lltd.c had an infinite loop that was addressed by using a correct integer data type.",
  "id": "GHSA-7x3m-mxjp-769r",
  "modified": "2022-05-13T01:53:20Z",
  "published": "2022-05-13T01:53:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7326"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14419"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=293b999425e998d6cde0d9149648e421ea7687d0"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2018-06.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103158"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7X8Q-X29W-WPG4

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-02T05:29:00Z",
    "severity": "HIGH"
  },
  "details": "A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop).",
  "id": "GHSA-7x8q-x29w-wpg4",
  "modified": "2022-05-13T01:47:57Z",
  "published": "2022-05-13T01:47:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9358"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/863906"
    },
    {
      "type": "WEB",
      "url": "http://downloads.asterisk.org/pub/security/AST-2017-004.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98573"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038531"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-827X-XJFM-CW2C

Vulnerability from github – Published: 2023-07-18 15:30 – Updated: 2024-04-04 06:13
VLAI
Details

In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-18T14:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.",
  "id": "GHSA-827x-xjfm-cw2c",
  "modified": "2024-04-04T06:13:20Z",
  "published": "2023-07-18T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33294"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=27501"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/pipermail/elfutils-devel/2021q1/003607.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8299-XH3W-XHX5

Vulnerability from github – Published: 2026-07-16 18:31 – Updated: 2026-07-17 15:32
VLAI
Details

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes.

The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever.

Nameless attributes such as "" or unbalanced quotes "" can trigger this condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-16T17:16:55Z",
    "severity": "HIGH"
  },
  "details": "XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes.\n\nThe parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever.\n\nNameless attributes such as \"\u003ca =\u0027c\u0027\u003e\" or unbalanced quotes \"\u003ca b=\u0027\u0027\u0027\u0027\u0027\u0027\u0027c\u0027\u003e\" can trigger this condition.",
  "id": "GHSA-8299-xh3w-xhx5",
  "modified": "2026-07-17T15:32:23Z",
  "published": "2026-07-16T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13401"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nanoscopic/perl-XML-Bare/pull/2"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/patches/X/XML-Bare/0.53/CVE-2026-13401-r1.patch"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/16/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83G2-8M93-V3W7

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2024-05-20 20:30
VLAI
Summary
golang.org/x/net/html Infinite Loop vulnerability
Details

Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "golang.org/x/net"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20210520170846-37e1c6afe023"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-33194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T00:33:11Z",
    "nvd_published_at": "2021-05-26T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.",
  "id": "GHSA-83g2-8m93-v3w7",
  "modified": "2024-05-20T20:30:54Z",
  "published": "2022-05-24T19:03:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/311090"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/46288"
    },
    {
      "type": "WEB",
      "url": "https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/wPunbCPkWUg"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0238"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "golang.org/x/net/html Infinite Loop vulnerability"
}

GHSA-83GH-Q9XF-W4XR

Vulnerability from github – Published: 2025-01-31 12:33 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

filemap: avoid truncating 64-bit offset to 32 bits

On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T12:15:27Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: avoid truncating 64-bit offset to 32 bits\n\nOn 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a\n64-bit value to 32 bits, leading to a possible infinite loop when writing\nto an xfs filesystem.",
  "id": "GHSA-83gh-q9xf-w4xr",
  "modified": "2025-11-03T21:32:30Z",
  "published": "2025-01-31T12:33:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21665"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09528bb1a4123e2a234eac2bc45a0e51e78dab43"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/280f1fb89afc01e7376f59ae611d54ca69e9f967"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64e5fd96330df2ad278d1c4edcca581f26e5f76e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80fc836f3ebe2f2d2d2c80c698b7667974285a04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f505e6c91e7a22d10316665a86d79f84d9f0ba76"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84GJ-C6VV-GH4Q

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16
VLAI
Details

The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-05-23T19:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.",
  "id": "GHSA-84gj-c6vv-gh4q",
  "modified": "2022-05-13T01:16:26Z",
  "published": "2022-05-13T01:16:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8558"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1277983"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02124.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201602-01"
    },
    {
      "type": "WEB",
      "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=156a2e4dbffa85997636a7a39ef12da6f1b40254"
    },
    {
      "type": "WEB",
      "url": "http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3469"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3470"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3471"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/12/14/16"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/12/14/9"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/80694"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.