CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1062 vulnerabilities reference this CWE, most recent first.
GHSA-9M99-GMCJ-9G66
Vulnerability from github – Published: 2022-09-03 00:00 – Updated: 2022-09-09 00:00wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.
{
"affected": [],
"aliases": [
"CVE-2021-44718"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-02T12:15:00Z",
"severity": "MODERATE"
},
"details": "wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.",
"id": "GHSA-9m99-gmcj-9g66",
"modified": "2022-09-09T00:00:55Z",
"published": "2022-09-03T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44718"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/releases"
},
{
"type": "WEB",
"url": "https://www.wolfssl.com/docs/security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9MM7-7F84-98C9
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-06-06 00:00Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.
{
"affected": [],
"aliases": [
"CVE-2015-5239"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-23T20:15:00Z",
"severity": "MODERATE"
},
"details": "Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.",
"id": "GHSA-9mm7-7f84-98c9",
"modified": "2022-06-06T00:00:34Z",
"published": "2022-05-24T17:07:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5239"
},
{
"type": "WEB",
"url": "https://github.com/qemu/qemu/commit/f9a70e79391f6d7c2a912d785239ee8effc1922d"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1188-security-advisory-14"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168077.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168646.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168671.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00026.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00005.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00011.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/09/02/7"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2745-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QFW-47FX-PXVC
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file due to lack of loop checking, as demonstrated by pdftohtml.
{
"affected": [],
"aliases": [
"CVE-2018-7453"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-24T06:29:00Z",
"severity": "MODERATE"
},
"details": "Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file due to lack of loop checking, as demonstrated by pdftohtml.",
"id": "GHSA-9qfw-47fx-pxvc",
"modified": "2022-05-13T01:53:23Z",
"published": "2022-05-13T01:53:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7453"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?p=814#p814"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QX2-HWJM-5MWW
Vulnerability from github – Published: 2025-08-14 18:31 – Updated: 2025-08-14 18:31A vulnerability in the management and VPN web servers of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition.
This vulnerability is due to improper validation of user-supplied input on an interface with VPN web services. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on an affected device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.
{
"affected": [],
"aliases": [
"CVE-2025-20243"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T17:15:38Z",
"severity": "HIGH"
},
"details": "A vulnerability in the management and VPN web servers of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition.\n\nThis vulnerability is due to improper validation of user-supplied input on an interface with VPN web services. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on an affected device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.",
"id": "GHSA-9qx2-hwjm-5mww",
"modified": "2025-08-14T18:31:29Z",
"published": "2025-08-14T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20243"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-dos-mfPekA6e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9RPF-MHCJ-GV7R
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-07-14 15:31libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
{
"affected": [],
"aliases": [
"CVE-2026-32777"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:19:44Z",
"severity": "MODERATE"
},
"details": "libexpat before 2.7.5 allows an infinite loop while parsing DTD content.",
"id": "GHSA-9rpf-mhcj-gv7r",
"modified": "2026-07-14T15:31:39Z",
"published": "2026-03-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32777"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/issues/1161"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/pull/1159"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/pull/1162"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://issues.oss-fuzz.com/issues/486993411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9RPJ-3FH9-94X5
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42Bad reference counting in the context of accept_ice_connection() in gsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92 allows a local attacker to establish ICE connections to gnome-session with invalid authentication data (an invalid magic cookie). Each failed authentication attempt will leak a file descriptor in gnome-session. When the maximum number of file descriptors is exhausted in the gnome-session process, it will enter an infinite loop trying to communicate without success, consuming 100% of the CPU. The graphical session associated with the gnome-session process will stop working correctly, because communication with gnome-session is no longer possible.
{
"affected": [],
"aliases": [
"CVE-2017-11171"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T20:29:00Z",
"severity": "MODERATE"
},
"details": "Bad reference counting in the context of accept_ice_connection() in gsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92 allows a local attacker to establish ICE connections to gnome-session with invalid authentication data (an invalid magic cookie). Each failed authentication attempt will leak a file descriptor in gnome-session. When the maximum number of file descriptors is exhausted in the gnome-session process, it will enter an infinite loop trying to communicate without success, consuming 100% of the CPU. The graphical session associated with the gnome-session process will stop working correctly, because communication with gnome-session is no longer possible.",
"id": "GHSA-9rpj-3fh9-94x5",
"modified": "2022-05-13T01:42:11Z",
"published": "2022-05-13T01:42:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11171"
},
{
"type": "WEB",
"url": "https://github.com/GNOME/gnome-session/commit/b0dc999e0b45355314616321dbb6cb71e729fc9d"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1025068"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9V76-4QCC-FRGH
Vulnerability from github – Published: 2026-05-18 19:10 – Updated: 2026-05-18 19:10Executive Summary:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/397
CVSS Details
- Version: 3.1
- Severity:
- Score: 7.5
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
- Weakness: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Affected Platforms
- Platforms: All
- Architectures: All
Affected Packages
The vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below
.NET 10
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.AspNetCore.App.Runtime.win-arm | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.win-x64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.win-x86 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-arm | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.osx-arm64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
.NET 9
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.AspNetCore.App.Runtime.win-arm | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.win-x64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.win-x86 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-arm | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.osx-arm64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
.NET 8
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.AspNetCore.App.Runtime.win-arm | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.win-x64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.win-x86 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-arm | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.osx-arm64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
Advisory FAQ
How do I know if I am affected?
If using a package listed in affected packages, an application is exposed to the vulnerability.
How do I fix the issue?
- To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If developers have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt them to update Visual Studio, which will also update the application's .NET SDKs.
- If an application references the vulnerable package, update the package reference to the patched version. Developers can list the versions they have installed by running the
dotnet --infocommand.
Once developers have installed the updated runtime or SDK, they should restart their apps for the update to take effect.
Additionally, if developers have deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If a potential security issue has been found in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.
Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
Questions about this issue can be submitted to the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. Questions can be submitted through the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
Acknowledgements
hamayanhamayan Muhammad Abdul Rehman
Revisions
V1.0 (May 12, 2026): Advisory published.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x86"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-x64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-x64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x86"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x86"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-x64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-x64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-x64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-x64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42899"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T19:10:59Z",
"nvd_published_at": "2026-05-12T18:17:26Z",
"severity": "HIGH"
},
"details": "## Executive Summary: \n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nLoop with unreachable exit condition (\u0027infinite loop\u0027) in ASP.NET Core allows an unauthorized attacker to deny service over a network.\n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/397\n\n## CVSS Details\n\n- **Version:** 3.1\n- **Severity:** \n- **Score:** 7.5\n- **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C \n- **Weakness:** CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\n\n## Affected Platforms\n\n- **Platforms:** All\n- **Architectures:** All\n\n## \u003ca name=\"affected-packages\"\u003e\u003c/a\u003eAffected Packages\nThe vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below\n\n### \u003ca name=\".NET 10\"\u003e\u003c/a\u003e.NET 10\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n\n### \u003ca name=\".NET 9\"\u003e\u003c/a\u003e.NET 9\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n\n\n### \u003ca name=\".NET 8\"\u003e\u003c/a\u003e.NET 8\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n\n## Advisory FAQ\n\n### \u003ca name=\"how-affected\"\u003e\u003c/a\u003eHow do I know if I am affected?\n\nIf using a package listed in [affected packages](#affected-packages), an application is exposed to the vulnerability.\n\n### \u003ca name=\"how-fix\"\u003e\u003c/a\u003eHow do I fix the issue?\n\n1. To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If developers have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt them to update Visual Studio, which will also update the application\u0027s .NET SDKs.\n2. If an application references the vulnerable package, update the package reference to the patched version. Developers can list the versions they have installed by running the `dotnet --info` command. \n\nOnce developers have installed the updated runtime or SDK, they should restart their apps for the update to take effect.\n\nAdditionally, if developers have deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf a potential security issue has been found in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue).\n\nSecurity reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.\n\n### Support\n\nQuestions about this issue can be submitted to the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. Questions can be submitted through the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2026-42899]( https://www.cve.org/CVERecord?id=CVE-2026-42899)\n\n### Acknowledgements\nhamayanhamayan\u202fMuhammad Abdul Rehman \n\n### Revisions\n\nV1.0 (May 12, 2026): Advisory published.",
"id": "GHSA-9v76-4qcc-frgh",
"modified": "2026-05-18T19:10:59Z",
"published": "2026-05-18T19:10:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dotnet/aspnetcore/security/advisories/GHSA-9v76-4qcc-frgh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42899"
},
{
"type": "WEB",
"url": "https://github.com/dotnet/announcements/issues/397"
},
{
"type": "PACKAGE",
"url": "https://github.com/dotnet/aspnetcore"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42899"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Microsoft Security Advisory CVE-2026-42899 \u2013 ASP.NET Core Denial of Service Vulnerability"
}
GHSA-9VJ4-WC7R-P844
Vulnerability from github – Published: 2026-01-21 01:05 – Updated: 2026-01-21 01:05Summary
Stack overflow via infinite recursion in MSL (Magick Scripting Language) <write> command when writing to MSL format.
Version
- ImageMagick 7.x (tested on current main branch)
- Commit: HEAD
- Requires: libxml2 support (for MSL parsing)
Steps to Reproduce
Method 1: Using ImageMagick directly
magick MSL:recursive.msl out.png
Method 2: Using OSS-Fuzz reproduce
python3 infra/helper.py build_fuzzers imagemagick
python3 infra/helper.py reproduce imagemagick msl_fuzzer recursive.msl
Or run the fuzzer directly:
./msl_fuzzer recursive.msl
Expected Behavior
ImageMagick should handle recursive MSL references gracefully by detecting the loop and returning an error.
Actual Behavior
Stack overflow causes process crash:
AddressSanitizer:DEADLYSIGNAL
==PID==ERROR: AddressSanitizer: stack-overflow
#0 MSLStartElement /src/imagemagick/coders/msl.c:7045
#1 xmlParseStartTag /src/libxml2/parser.c
#2 xmlParseChunk /src/libxml2/parser.c:11273
#3 ProcessMSLScript /src/imagemagick/coders/msl.c:7405
#4 WriteMSLImage /src/imagemagick/coders/msl.c:7867
#5 WriteImage /src/imagemagick/MagickCore/constitute.c:1346
#6 MSLStartElement /src/imagemagick/coders/msl.c:7045
... (infinite recursion, 287+ frames)
Root Cause Analysis
In coders/msl.c, the <write> command handler in MSLStartElement() (line ~7045) calls WriteImage(). When the output filename specifies MSL format (msl:filename), WriteMSLImage() is called, which parses the MSL file again via ProcessMSLScript().
If the MSL file references itself (directly or indirectly), this creates an infinite recursion loop:
MSLStartElement() → WriteImage() → WriteMSLImage() → ProcessMSLScript()
→ xmlParseChunk() → MSLStartElement() → ... (infinite loop)
Impact
- DoS: Guaranteed crash via stack exhaustion
- Affected: Any application using ImageMagick to process user-supplied MSL files
Additional Trigger Paths
The <read> command can also trigger recursion:
Indirect recursion is also possible (a.msl → b.msl → a.msl).
Fuzzer
This issue was discovered using a custom MSL fuzzer:
#include <cstdint>
#include <Magick++/Blob.h>
#include <Magick++/Image.h>
#include "utils.cc"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
if (IsInvalidSize(Size))
return(0);
try
{
const Magick::Blob blob(Data, Size);
Magick::Image image;
image.magick("MSL");
image.fileName("MSL:");
image.read(blob);
}
catch (Magick::Exception)
{
}
return(0);
}
This issue was found by Team FuzzingBrain @ Texas A&M University
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23874"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T01:05:23Z",
"nvd_published_at": "2026-01-20T01:15:57Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nStack overflow via infinite recursion in MSL (Magick Scripting Language) `\u003cwrite\u003e` command when writing to MSL format.\n\n## Version\n\n- ImageMagick 7.x (tested on current main branch)\n- Commit: HEAD\n- Requires: libxml2 support (for MSL parsing)\n\n## Steps to Reproduce\n\n### Method 1: Using ImageMagick directly\n\n```bash\nmagick MSL:recursive.msl out.png\n```\n\n### Method 2: Using OSS-Fuzz reproduce\n\n```bash\npython3 infra/helper.py build_fuzzers imagemagick\npython3 infra/helper.py reproduce imagemagick msl_fuzzer recursive.msl\n```\n\nOr run the fuzzer directly:\n```bash\n./msl_fuzzer recursive.msl\n```\n\n## Expected Behavior\n\nImageMagick should handle recursive MSL references gracefully by detecting the loop and returning an error.\n\n## Actual Behavior\n\nStack overflow causes process crash:\n\n```\nAddressSanitizer:DEADLYSIGNAL\n==PID==ERROR: AddressSanitizer: stack-overflow\n #0 MSLStartElement /src/imagemagick/coders/msl.c:7045\n #1 xmlParseStartTag /src/libxml2/parser.c\n #2 xmlParseChunk /src/libxml2/parser.c:11273\n #3 ProcessMSLScript /src/imagemagick/coders/msl.c:7405\n #4 WriteMSLImage /src/imagemagick/coders/msl.c:7867\n #5 WriteImage /src/imagemagick/MagickCore/constitute.c:1346\n #6 MSLStartElement /src/imagemagick/coders/msl.c:7045\n ... (infinite recursion, 287+ frames)\n```\n\n## Root Cause Analysis\n\nIn `coders/msl.c`, the `\u003cwrite\u003e` command handler in `MSLStartElement()` (line ~7045) calls `WriteImage()`. When the output filename specifies MSL format (`msl:filename`), `WriteMSLImage()` is called, which parses the MSL file again via `ProcessMSLScript()`.\n\nIf the MSL file references itself (directly or indirectly), this creates an infinite recursion loop:\n\n```\nMSLStartElement() \u2192 WriteImage() \u2192 WriteMSLImage() \u2192 ProcessMSLScript()\n \u2192 xmlParseChunk() \u2192 MSLStartElement() \u2192 ... (infinite loop)\n```\n\n## Impact\n\n- **DoS**: Guaranteed crash via stack exhaustion\n- **Affected**: Any application using ImageMagick to process user-supplied MSL files\n\n## Additional Trigger Paths\n\nThe `\u003cread\u003e` command can also trigger recursion:\n\nIndirect recursion is also possible (a.msl \u2192 b.msl \u2192 a.msl).\n\n## Fuzzer\n\nThis issue was discovered using a custom MSL fuzzer:\n\n```cpp\n#include \u003ccstdint\u003e\n#include \u003cMagick++/Blob.h\u003e\n#include \u003cMagick++/Image.h\u003e\n#include \"utils.cc\"\n\nextern \"C\" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)\n{\n if (IsInvalidSize(Size))\n return(0);\n try\n {\n const Magick::Blob blob(Data, Size);\n Magick::Image image;\n image.magick(\"MSL\");\n image.fileName(\"MSL:\");\n image.read(blob);\n }\n catch (Magick::Exception)\n {\n }\n return(0);\n}\n```\n\nThis issue was found by Team FuzzingBrain @ Texas A\u0026M University",
"id": "GHSA-9vj4-wc7r-p844",
"modified": "2026-01-21T01:05:23Z",
"published": "2026-01-21T01:05:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23874"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick MSL: Stack overflow via infinite recursion in ProcessMSLScript"
}
GHSA-9W8R-397F-PRFH
Vulnerability from github – Published: 2021-04-20 16:35 – Updated: 2024-10-14 16:12An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Pygments"
},
"ranges": [
{
"events": [
{
"introduced": "1.5"
},
{
"fixed": "2.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-20270"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-12T20:58:03Z",
"nvd_published_at": "2021-03-23T17:15:00Z",
"severity": "HIGH"
},
"details": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword.",
"id": "GHSA-9w8r-397f-prfh",
"modified": "2024-10-14T16:12:14Z",
"published": "2021-04-20T16:35:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20270"
},
{
"type": "WEB",
"url": "https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136"
},
{
"type": "PACKAGE",
"url": "https://github.com/pygments/pygments"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pygments/PYSEC-2021-140.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4889"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Infinite Loop in Pygments"
}
GHSA-9WJ4-8H85-PGRW
Vulnerability from github – Published: 2025-06-10 20:14 – Updated: 2025-06-10 20:14Impact
OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.
Patches
The vulnerability has been patched in version 1.11.2.
Workaround
OctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not.
Details
The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server.
The fix adds detection of invalid requests like that and ensures they are handled gracefully with an HTTP 400 Bad Request response.
Credits
This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "OctoPrint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48879"
],
"database_specific": {
"cwe_ids": [
"CWE-140",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-10T20:14:43Z",
"nvd_published_at": "2025-06-10T16:15:41Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken `multipart/form-data` request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.\n\n### Patches\n\nThe vulnerability has been patched in version 1.11.2.\n\n### Workaround\n\nOctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not.\n\n### Details\n\nThe issue can be triggered by a broken `multipart/form-data` request lacking an end boundary to any of OctoPrint\u0027s endpoints implemented through the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server.\n\nThe fix adds detection of invalid requests like that and ensures they are handled gracefully with an HTTP 400 Bad Request response.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.",
"id": "GHSA-9wj4-8h85-pgrw",
"modified": "2025-06-10T20:14:44Z",
"published": "2025-06-10T20:14:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48879"
},
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec"
},
{
"type": "PACKAGE",
"url": "https://github.com/OctoPrint/OctoPrint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.