CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1052 vulnerabilities reference this CWE, most recent first.
GHSA-VF6R-CGFG-Q96J
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2025-04-20 03:33It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
{
"affected": [],
"aliases": [
"CVE-2017-6056"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-17T07:59:00Z",
"severity": "HIGH"
},
"details": "It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.",
"id": "GHSA-vf6r-cgfg-q96j",
"modified": "2025-04-20T03:33:04Z",
"published": "2022-05-13T01:46:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6056"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/851304"
},
{
"type": "WEB",
"url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60578"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-security-announce/2017/msg00038.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-security-announce/2017/msg00039.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180731-0002"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0517.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0826.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0827.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0828.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0829.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3787"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3788"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96293"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037860"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VFH9-CHGV-WFPH
Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2022-07-23 00:00Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
{
"affected": [],
"aliases": [
"CVE-2022-30634"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-15T20:15:00Z",
"severity": "HIGH"
},
"details": "Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 \u003c\u003c 32 - 1 bytes.",
"id": "GHSA-vfh9-chgv-wfph",
"modified": "2022-07-23T00:00:23Z",
"published": "2022-07-16T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30634"
},
{
"type": "WEB",
"url": "https://go.dev/cl/402257"
},
{
"type": "WEB",
"url": "https://go.dev/issue/52561"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0477"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220915-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VFP6-JRW2-99G9
Vulnerability from github – Published: 2023-11-08 15:02 – Updated: 2023-11-08 15:02Summary
Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in pkg/cosign.FetchAttestations.
The attacker needs to compromise the registry or make a request to a registry they control. When doing so, the attacker must return a high number of attestations in the response to Cosign. The result will be that the attacker can cause Cosign to go into a long or infinite loop that will prevent other users from verifying their data. In Kyvernos case, an attacker whose privileges are limited to making requests to the cluster can make a request with an image reference to their own registry, trigger the infinite loop and deny other users from completing their admission requests. Alternatively, the attacker can obtain control of the registry used by an organization and return a high number of attestations instead the expected number of attestations.
The vulnerable loop in Cosign starts on line 154 below: https://github.com/sigstore/cosign/blob/004443228442850fb28f248fd59765afad99b6df/pkg/cosign/fetch.go#L135-L196
The l slice is controllable by an attacker who controls the remote registry.
Many cloud-native projects consider the remote registry to be untrusted, including Crossplane, Notary and Kyverno. We consider the same to be the case for Cosign, since users are not in control of whether the registry returns the expected data.
TUF's security model labels this type of vulnerability an "Endless data attack", but an attacker could use this as a type of rollback attack, in case the user attempts to deploy a patched version of a vulnerable image; The attacker could prevent this upgrade by causing Cosign to get stuck in an infinite loop and never complete.
Mitigation
The issue can be mitigated rather simply by setting a limit to the limit of attestations that Cosign will loop through. The limit does not need to be high to be within the vast majority of use cases and still prevent the endless data attack.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.13.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/sigstore/cosign"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/sigstore/cosign/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46737"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-08T15:02:51Z",
"nvd_published_at": "2023-11-07T18:15:09Z",
"severity": "LOW"
},
"details": "### Summary\nCosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in `pkg/cosign.FetchAttestations`.\n\nThe attacker needs to compromise the registry or make a request to a registry they control. When doing so, the attacker must return a high number of attestations in the response to Cosign. The result will be that the attacker can cause Cosign to go into a long or infinite loop that will prevent other users from verifying their data. In Kyvernos case, an attacker whose privileges are limited to making requests to the cluster can make a request with an image reference to their own registry, trigger the infinite loop and deny other users from completing their admission requests. Alternatively, the attacker can obtain control of the registry used by an organization and return a high number of attestations instead the expected number of attestations.\n\nThe vulnerable loop in Cosign starts on line 154 below:\nhttps://github.com/sigstore/cosign/blob/004443228442850fb28f248fd59765afad99b6df/pkg/cosign/fetch.go#L135-L196\n\nThe `l` slice is controllable by an attacker who controls the remote registry.\n\nMany cloud-native projects consider the remote registry to be untrusted, including Crossplane, Notary and Kyverno. We consider the same to be the case for Cosign, since users are not in control of whether the registry returns the expected data.\n\nTUF\u0027s security model labels this type of vulnerability an [\"Endless data attack\"](https://theupdateframework.io/security/), but an attacker could use this as a type of rollback attack, in case the user attempts to deploy a patched version of a vulnerable image; The attacker could prevent this upgrade by causing Cosign to get stuck in an infinite loop and never complete.\n\n### Mitigation\nThe issue can be mitigated rather simply by setting a limit to the limit of attestations that Cosign will loop through. The limit does not need to be high to be within the vast majority of use cases and still prevent the endless data attack.",
"id": "GHSA-vfp6-jrw2-99g9",
"modified": "2023-11-08T15:02:51Z",
"published": "2023-11-08T15:02:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46737"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/pull/3364"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/commit/8ac891ff0e29ddc67965423bee8f826219c6eb0f"
},
{
"type": "PACKAGE",
"url": "https://github.com/sigstore/cosign"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/releases/tag/v1.13.2"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/releases/tag/v2.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Cosign vulnerable to possible endless data attack from attacker-controlled registry"
}
GHSA-VFW5-HRGQ-H5WF
Vulnerability from github – Published: 2023-09-25 17:33 – Updated: 2024-05-20 19:40The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/net"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20190125091013-d26f9f9a57f3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-17846"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-25T17:33:10Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The html package (aka x/net/html) through 2018-09-25 in Go mishandles `\u003ctable\u003e\u003cmath\u003e\u003cselect\u003e\u003cmi\u003e\u003cselect\u003e\u003c/table\u003e`, leading to an infinite loop during an `html.Parse` call because `inSelectIM` and `inSelectInTableIM` do not comply with a specification.",
"id": "GHSA-vfw5-hrgq-h5wf",
"modified": "2024-05-20T19:40:06Z",
"published": "2023-09-25T17:33:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17846"
},
{
"type": "WEB",
"url": "https://github.com/golang/go/issues/27842"
},
{
"type": "WEB",
"url": "https://go-review.googlesource.com/c/137275"
},
{
"type": "WEB",
"url": "https://go.dev/issue/27842"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2020-0014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "x/net/html Vulnerable to DoS During HTML Parsing"
}
GHSA-VG2P-X98M-7MXR
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, would perform unbounded read operations on user-controlled ~/.pam_environment files, allowing an infinite loop if /dev/zero is symlinked to this location.
{
"affected": [],
"aliases": [
"CVE-2020-16127"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-11T04:15:00Z",
"severity": "MODERATE"
},
"details": "An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, would perform unbounded read operations on user-controlled ~/.pam_environment files, allowing an infinite loop if /dev/zero is symlinked to this location.",
"id": "GHSA-vg2p-x98m-7mxr",
"modified": "2022-05-24T17:33:38Z",
"published": "2022-05-24T17:33:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16127"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-187-accountsservice-drop-privs-DOS"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VHC7-QGWJ-VX6V
Vulnerability from github – Published: 2026-07-01 15:35 – Updated: 2026-07-01 15:35FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
{
"affected": [],
"aliases": [
"CVE-2026-6684"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T15:17:12Z",
"severity": "MODERATE"
},
"details": "FatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.",
"id": "GHSA-vhc7-qgwj-vx6v",
"modified": "2026-07-01T15:35:20Z",
"published": "2026-07-01T15:35:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6684"
},
{
"type": "WEB",
"url": "https://elm-chan.org/fsw/ff"
},
{
"type": "WEB",
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/fatfs-gpt-scan-loop-dos-cve-2026-6684"
},
{
"type": "WEB",
"url": "https://www.runzero.com/blog/fatfs-bugs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ6G-6XQ4-CMRW
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.
{
"affected": [],
"aliases": [
"CVE-2018-19826"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-03T19:29:00Z",
"severity": "MODERATE"
},
"details": "** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray \u0027\u0026\u0027 or \u0027/\u0027 characters. NOTE: Upstream comments indicate this issue is closed as \"won\u0027t fix\" and \"works as intended\" by design.",
"id": "GHSA-vj6g-6xq4-cmrw",
"modified": "2022-05-13T01:50:54Z",
"published": "2022-05-13T01:50:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19826"
},
{
"type": "WEB",
"url": "https://github.com/sass/libsass/issues/2781"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMHH-8RXQ-FP9G
Vulnerability from github – Published: 2025-07-23 20:03 – Updated: 2025-07-23 20:03Summary
Infinite lines occur when writing during a specific XMP file conversion command
Details
#0 GetXmpNumeratorAndDenominator (denominator=<optimized out>, numerator=<optimized out>, value=<optimized out>) at MagickCore/profile.c:2578
#1 GetXmpNumeratorAndDenominator (denominator=<synthetic pointer>, numerator=<synthetic pointer>, value=720000000000000) at MagickCore/profile.c:2564
#2 SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605
#3 0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651
#4 0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288
#5 0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=<optimized out>, images@entry=0x555555bb9ea0, filename=<optimized out>, exception=0x555555b7bea0) at MagickCore/constitute.c:1575
#6 0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write", arg1n=arg1n@entry=0x7fffffffe2c7 "a.mng", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993
#7 0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write") at MagickWand/operation.c:5473
#8 0x00005555559224aa in ProcessCommandOptions (cli_wand=cli_wand@entry=0x555555b85790, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, index=index@entry=1) at MagickWand/magick-cli.c:758
#9 0x000055555592276d in MagickImageCommand (image_info=image_info@entry=0x555555b824a0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=metadata@entry=0x7fffffffbc10, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:1392
#10 0x00005555559216a0 in MagickCommandGenesis (image_info=image_info@entry=0x555555b824a0, command=command@entry=0x555555922640 <MagickImageCommand>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=0x0, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:177
#11 0x000055555559f76b in MagickMain (argc=3, argv=0x7fffffffdfa8) at utilities/magick.c:162
#12 0x00007ffff700fd90 in __libc_start_call_main (main=main@entry=0x55555559aec0 <main>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x00007ffff700fe40 in __libc_start_main_impl (main=0x55555559aec0 <main>, argc=3, argv=0x7fffffffdfa8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392
#14 0x000055555559f535 in _start ()
static void GetXmpNumeratorAndDenominator(double value,
unsigned long *numerator,unsigned long *denominator)
{
double
df;
*numerator=0;
*denominator=1;
if (value <= MagickEpsilon)
return;
*numerator=1;
df=1.0;
while(fabs(df - value) > MagickEpsilon)
{
if (df < value)
(*numerator)++;
else
{
(*denominator)++;
*numerator=(unsigned long) (value*(*denominator));
}
df=*numerator/(double)*denominator;
}
}
In this code, the loop while(fabs(df - value) > MagickEpsilon) keeps repeating endlessly.
PoC
magick hang a.mng
https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing
Impact
XMP profile write triggers hang due to unbounded loop
credits
Team Pay1oad DVE
Reporter : Shinyoung Won (with contributions from WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae, Kyusang Han, JaeHun Gou)
yosimich(@yosiimich) Shinyoung Won of SSA Lab
e-mail : [yosimich123@gmail.com]
Woojin Jeon
Gtihub : brainoverflow
e-mail : [root@brainoverflow.kr]
WooJin Park
GitHub : jin-156
e-mail : [1203kids@gmail.com]
Who4mI(@GAP-dev) Lee DongHa of SSA Lab
Github: GAP-dev
e-mail : [ceo@zeropointer.co.kr]
JungWoo Park
Github : JungWooJJING
e-mail : [cuby5577@gmail.com]
Juwon Chae
Github : I_mho
e-mail : [wndnjs4698@naver.com]
Kyusang Han
Github : T1deSEC
e-mail : [hksjoe0081@gmail.com]
JaeHun Gou
Github : P2GONE
e-mail : [charly20@naver.com]
Commits
Fixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53015"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-23T20:03:41Z",
"nvd_published_at": "2025-07-14T20:15:28Z",
"severity": "HIGH"
},
"details": "### Summary\nInfinite lines occur when writing during a specific XMP file conversion command\n### Details\n```\n#0 GetXmpNumeratorAndDenominator (denominator=\u003coptimized out\u003e, numerator=\u003coptimized out\u003e, value=\u003coptimized out\u003e) at MagickCore/profile.c:2578\n#1 GetXmpNumeratorAndDenominator (denominator=\u003csynthetic pointer\u003e, numerator=\u003csynthetic pointer\u003e, value=720000000000000) at MagickCore/profile.c:2564\n#2 SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605\n#3 0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651\n#4 0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288\n#5 0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=\u003coptimized out\u003e, images@entry=0x555555bb9ea0, filename=\u003coptimized out\u003e, exception=0x555555b7bea0) at MagickCore/constitute.c:1575\n#6 0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe \"-write\", arg1n=arg1n@entry=0x7fffffffe2c7 \"a.mng\", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993\n#7 0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe \"-write\") at MagickWand/operation.c:5473\n#8 0x00005555559224aa in ProcessCommandOptions (cli_wand=cli_wand@entry=0x555555b85790, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, index=index@entry=1) at MagickWand/magick-cli.c:758\n#9 0x000055555592276d in MagickImageCommand (image_info=image_info@entry=0x555555b824a0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=metadata@entry=0x7fffffffbc10, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:1392\n#10 0x00005555559216a0 in MagickCommandGenesis (image_info=image_info@entry=0x555555b824a0, command=command@entry=0x555555922640 \u003cMagickImageCommand\u003e, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=0x0, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:177\n#11 0x000055555559f76b in MagickMain (argc=3, argv=0x7fffffffdfa8) at utilities/magick.c:162\n#12 0x00007ffff700fd90 in __libc_start_call_main (main=main@entry=0x55555559aec0 \u003cmain\u003e, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58\n#13 0x00007ffff700fe40 in __libc_start_main_impl (main=0x55555559aec0 \u003cmain\u003e, argc=3, argv=0x7fffffffdfa8, init=\u003coptimized out\u003e, fini=\u003coptimized out\u003e, rtld_fini=\u003coptimized out\u003e, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392\n#14 0x000055555559f535 in _start ()\n```\n```\nstatic void GetXmpNumeratorAndDenominator(double value,\n unsigned long *numerator,unsigned long *denominator)\n{\n double\n df;\n\n *numerator=0;\n *denominator=1;\n if (value \u003c= MagickEpsilon)\n return;\n *numerator=1;\n df=1.0;\n while(fabs(df - value) \u003e MagickEpsilon)\n {\n if (df \u003c value)\n (*numerator)++;\n else\n {\n (*denominator)++;\n *numerator=(unsigned long) (value*(*denominator));\n }\n df=*numerator/(double)*denominator;\n }\n}\n```\nIn this code, the loop `while(fabs(df - value) \u003e MagickEpsilon)` keeps repeating endlessly.\n\n### PoC\n`magick hang a.mng`\nhttps://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing\n\n### Impact\nXMP profile write triggers hang due to unbounded loop\n\n\n### credits\n**Team Pay1oad DVE** \n\n**Reporter** : **Shinyoung Won** (with contributions from **WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae**, **Kyusang Han, JaeHun Gou**)\n\n**yosimich(@yosiimich**) **Shinyoung Won** of SSA Lab\n\ne-mail : [yosimich123@gmail.com]\n\n**Woojin Jeon**\n\nGtihub : brainoverflow\n\ne-mail : [root@brainoverflow.kr]\n\n**WooJin Park**\n\nGitHub : jin-156\n\ne-mail : [1203kids@gmail.com]\n\n**Who4mI(@GAP-dev) Lee DongHa of SSA Lab**\n\nGithub: GAP-dev\n\ne-mail : [ceo@zeropointer.co.kr]\n\n**JungWoo Park**\n\nGithub : JungWooJJING\n\ne-mail : [cuby5577@gmail.com]\n\n**Juwon Chae** \n\nGithub : I_mho\n\ne-mail : [wndnjs4698@naver.com]\n\n**Kyusang Han**\n\nGithub : T1deSEC\n\ne-mail : [hksjoe0081@gmail.com]\n\n**JaeHun Gou**\n\nGithub : P2GONE\n\ne-mail : [charly20@naver.com]\n\n### Commits\nFixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26",
"id": "GHSA-vmhh-8rxq-fp9g",
"modified": "2025-07-23T20:03:42Z",
"published": "2025-07-23T20:03:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53015"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has XMP profile write that triggers hang due to unbounded loop"
}
GHSA-VPP4-H7GV-G249
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 15:30DLMS/COSEM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4
{
"affected": [],
"aliases": [
"CVE-2026-6536"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T07:16:40Z",
"severity": "MODERATE"
},
"details": "DLMS/COSEM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4",
"id": "GHSA-vpp4-h7gv-g249",
"modified": "2026-04-30T15:30:39Z",
"published": "2026-04-30T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6536"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/21065"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/work_items/21065"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2026-25.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPR2-5GXQ-HJC6
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2025-04-20 03:49The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
{
"affected": [],
"aliases": [
"CVE-2017-16944"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-25T17:29:00Z",
"severity": "HIGH"
},
"details": "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a \u0027.\u0027 character signifying the end of the content, related to the bdat_getc function.",
"id": "GHSA-vpr2-5gxq-hjc6",
"modified": "2025-04-20T03:49:05Z",
"published": "2022-05-13T01:10:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16944"
},
{
"type": "WEB",
"url": "https://bugs.exim.org/show_bug.cgi?id=2201"
},
{
"type": "WEB",
"url": "https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4053"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43184"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/11/25/1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/11/25/2"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/11/25/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/04/7"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039873"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.