Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1052 vulnerabilities reference this CWE, most recent first.

GHSA-VF6R-CGFG-Q96J

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2025-04-20 03:33
VLAI
Details

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-17T07:59:00Z",
    "severity": "HIGH"
  },
  "details": "It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.",
  "id": "GHSA-vf6r-cgfg-q96j",
  "modified": "2025-04-20T03:33:04Z",
  "published": "2022-05-13T01:46:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6056"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/851304"
    },
    {
      "type": "WEB",
      "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60578"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-security-announce/2017/msg00038.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-security-announce/2017/msg00039.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20180731-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0517.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0826.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0827.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0828.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0829.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3787"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3788"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96293"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037860"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFH9-CHGV-WFPH

Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2022-07-23 00:00
VLAI
Details

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-15T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 \u003c\u003c 32 - 1 bytes.",
  "id": "GHSA-vfh9-chgv-wfph",
  "modified": "2022-07-23T00:00:23Z",
  "published": "2022-07-16T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30634"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/402257"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/52561"
    },
    {
      "type": "WEB",
      "url": "https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0477"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220915-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFP6-JRW2-99G9

Vulnerability from github – Published: 2023-11-08 15:02 – Updated: 2023-11-08 15:02
VLAI
Summary
Cosign vulnerable to possible endless data attack from attacker-controlled registry
Details

Summary

Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in pkg/cosign.FetchAttestations.

The attacker needs to compromise the registry or make a request to a registry they control. When doing so, the attacker must return a high number of attestations in the response to Cosign. The result will be that the attacker can cause Cosign to go into a long or infinite loop that will prevent other users from verifying their data. In Kyvernos case, an attacker whose privileges are limited to making requests to the cluster can make a request with an image reference to their own registry, trigger the infinite loop and deny other users from completing their admission requests. Alternatively, the attacker can obtain control of the registry used by an organization and return a high number of attestations instead the expected number of attestations.

The vulnerable loop in Cosign starts on line 154 below: https://github.com/sigstore/cosign/blob/004443228442850fb28f248fd59765afad99b6df/pkg/cosign/fetch.go#L135-L196

The l slice is controllable by an attacker who controls the remote registry.

Many cloud-native projects consider the remote registry to be untrusted, including Crossplane, Notary and Kyverno. We consider the same to be the case for Cosign, since users are not in control of whether the registry returns the expected data.

TUF's security model labels this type of vulnerability an "Endless data attack", but an attacker could use this as a type of rollback attack, in case the user attempts to deploy a patched version of a vulnerable image; The attacker could prevent this upgrade by causing Cosign to get stuck in an infinite loop and never complete.

Mitigation

The issue can be mitigated rather simply by setting a limit to the limit of attestations that Cosign will loop through. The limit does not need to be high to be within the vast majority of use cases and still prevent the endless data attack.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.13.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sigstore/cosign"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sigstore/cosign/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-08T15:02:51Z",
    "nvd_published_at": "2023-11-07T18:15:09Z",
    "severity": "LOW"
  },
  "details": "### Summary\nCosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in `pkg/cosign.FetchAttestations`.\n\nThe attacker needs to compromise the registry or make a request to a registry they control. When doing so, the attacker must return a high number of attestations in the response to Cosign. The result will be that the attacker can cause Cosign to go into a long or infinite loop that will prevent other users from verifying their data. In Kyvernos case, an attacker whose privileges are limited to making requests to the cluster can make a request with an image reference to their own registry, trigger the infinite loop and deny other users from completing their admission requests. Alternatively, the attacker can obtain control of the registry used by an organization and return a high number of attestations instead the expected number of attestations.\n\nThe vulnerable loop in Cosign starts on line 154 below:\nhttps://github.com/sigstore/cosign/blob/004443228442850fb28f248fd59765afad99b6df/pkg/cosign/fetch.go#L135-L196\n\nThe `l` slice is controllable by an attacker who controls the remote registry.\n\nMany cloud-native projects consider the remote registry to be untrusted, including Crossplane, Notary and Kyverno. We consider the same to be the case for Cosign, since users are not in control of whether the registry returns the expected data.\n\nTUF\u0027s security model labels this type of vulnerability an [\"Endless data attack\"](https://theupdateframework.io/security/), but an attacker could use this as a type of rollback attack, in case the user attempts to deploy a patched version of a vulnerable image; The attacker could prevent this upgrade by causing Cosign to get stuck in an infinite loop and never complete.\n\n### Mitigation\nThe issue can be mitigated rather simply by setting a limit to the limit of attestations that Cosign will loop through. The limit does not need to be high to be within the vast majority of use cases and still prevent the endless data attack.",
  "id": "GHSA-vfp6-jrw2-99g9",
  "modified": "2023-11-08T15:02:51Z",
  "published": "2023-11-08T15:02:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/cosign/pull/3364"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/cosign/commit/8ac891ff0e29ddc67965423bee8f826219c6eb0f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sigstore/cosign"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/cosign/releases/tag/v1.13.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/cosign/releases/tag/v2.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cosign vulnerable to possible endless data attack from attacker-controlled registry"
}

GHSA-VFW5-HRGQ-H5WF

Vulnerability from github – Published: 2023-09-25 17:33 – Updated: 2024-05-20 19:40
VLAI
Summary
x/net/html Vulnerable to DoS During HTML Parsing
Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "golang.org/x/net"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20190125091013-d26f9f9a57f3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-17846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-25T17:33:10Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The html package (aka x/net/html) through 2018-09-25 in Go mishandles `\u003ctable\u003e\u003cmath\u003e\u003cselect\u003e\u003cmi\u003e\u003cselect\u003e\u003c/table\u003e`, leading to an infinite loop during an `html.Parse` call because `inSelectIM` and `inSelectInTableIM` do not comply with a specification.",
  "id": "GHSA-vfw5-hrgq-h5wf",
  "modified": "2024-05-20T19:40:06Z",
  "published": "2023-09-25T17:33:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17846"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/go/issues/27842"
    },
    {
      "type": "WEB",
      "url": "https://go-review.googlesource.com/c/137275"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/27842"
    },
    {
      "type": "WEB",
      "url": "https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2020-0014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "x/net/html Vulnerable to DoS During HTML Parsing"
}

GHSA-VG2P-X98M-7MXR

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, would perform unbounded read operations on user-controlled ~/.pam_environment files, allowing an infinite loop if /dev/zero is symlinked to this location.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-11T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, would perform unbounded read operations on user-controlled ~/.pam_environment files, allowing an infinite loop if /dev/zero is symlinked to this location.",
  "id": "GHSA-vg2p-x98m-7mxr",
  "modified": "2022-05-24T17:33:38Z",
  "published": "2022-05-24T17:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16127"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-187-accountsservice-drop-privs-DOS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VHC7-QGWJ-VX6V

Vulnerability from github – Published: 2026-07-01 15:35 – Updated: 2026-07-01 15:35
VLAI
Details

FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T15:17:12Z",
    "severity": "MODERATE"
  },
  "details": "FatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.",
  "id": "GHSA-vhc7-qgwj-vx6v",
  "modified": "2026-07-01T15:35:20Z",
  "published": "2026-07-01T15:35:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6684"
    },
    {
      "type": "WEB",
      "url": "https://elm-chan.org/fsw/ff"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
    },
    {
      "type": "WEB",
      "url": "https://www.runzero.com/advisories/fatfs-gpt-scan-loop-dos-cve-2026-6684"
    },
    {
      "type": "WEB",
      "url": "https://www.runzero.com/blog/fatfs-bugs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ6G-6XQ4-CMRW

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50
VLAI
Details

** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-03T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray \u0027\u0026\u0027 or \u0027/\u0027 characters. NOTE: Upstream comments indicate this issue is closed as \"won\u0027t fix\" and \"works as intended\" by design.",
  "id": "GHSA-vj6g-6xq4-cmrw",
  "modified": "2022-05-13T01:50:54Z",
  "published": "2022-05-13T01:50:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19826"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/issues/2781"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMHH-8RXQ-FP9G

Vulnerability from github – Published: 2025-07-23 20:03 – Updated: 2025-07-23 20:03
VLAI
Summary
ImageMagick has XMP profile write that triggers hang due to unbounded loop
Details

Summary

Infinite lines occur when writing during a specific XMP file conversion command

Details

#0  GetXmpNumeratorAndDenominator (denominator=<optimized out>, numerator=<optimized out>, value=<optimized out>) at MagickCore/profile.c:2578
#1  GetXmpNumeratorAndDenominator (denominator=<synthetic pointer>, numerator=<synthetic pointer>, value=720000000000000) at MagickCore/profile.c:2564
#2  SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605
#3  0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651
#4  0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288
#5  0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=<optimized out>, images@entry=0x555555bb9ea0, filename=<optimized out>, exception=0x555555b7bea0) at MagickCore/constitute.c:1575
#6  0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write", arg1n=arg1n@entry=0x7fffffffe2c7 "a.mng", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993
#7  0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write") at MagickWand/operation.c:5473
#8  0x00005555559224aa in ProcessCommandOptions (cli_wand=cli_wand@entry=0x555555b85790, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, index=index@entry=1) at MagickWand/magick-cli.c:758
#9  0x000055555592276d in MagickImageCommand (image_info=image_info@entry=0x555555b824a0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=metadata@entry=0x7fffffffbc10, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:1392
#10 0x00005555559216a0 in MagickCommandGenesis (image_info=image_info@entry=0x555555b824a0, command=command@entry=0x555555922640 <MagickImageCommand>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=0x0, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:177
#11 0x000055555559f76b in MagickMain (argc=3, argv=0x7fffffffdfa8) at utilities/magick.c:162
#12 0x00007ffff700fd90 in __libc_start_call_main (main=main@entry=0x55555559aec0 <main>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x00007ffff700fe40 in __libc_start_main_impl (main=0x55555559aec0 <main>, argc=3, argv=0x7fffffffdfa8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392
#14 0x000055555559f535 in _start ()
static void GetXmpNumeratorAndDenominator(double value,
  unsigned long *numerator,unsigned long *denominator)
{
  double
    df;

  *numerator=0;
  *denominator=1;
  if (value <= MagickEpsilon)
    return;
  *numerator=1;
  df=1.0;
  while(fabs(df - value) > MagickEpsilon)
  {
    if (df < value)
      (*numerator)++;
    else
      {
        (*denominator)++;
        *numerator=(unsigned long) (value*(*denominator));
      }
    df=*numerator/(double)*denominator;
  }
}

In this code, the loop while(fabs(df - value) > MagickEpsilon) keeps repeating endlessly.

PoC

magick hang a.mng https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing

Impact

XMP profile write triggers hang due to unbounded loop

credits

Team Pay1oad DVE

Reporter : Shinyoung Won (with contributions from WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae, Kyusang Han, JaeHun Gou)

yosimich(@yosiimich) Shinyoung Won of SSA Lab

e-mail : [yosimich123@gmail.com]

Woojin Jeon

Gtihub : brainoverflow

e-mail : [root@brainoverflow.kr]

WooJin Park

GitHub : jin-156

e-mail : [1203kids@gmail.com]

Who4mI(@GAP-dev) Lee DongHa of SSA Lab

Github: GAP-dev

e-mail : [ceo@zeropointer.co.kr]

JungWoo Park

Github : JungWooJJING

e-mail : [cuby5577@gmail.com]

Juwon Chae

Github : I_mho

e-mail : [wndnjs4698@naver.com]

Kyusang Han

Github : T1deSEC

e-mail : [hksjoe0081@gmail.com]

JaeHun Gou

Github : P2GONE

e-mail : [charly20@naver.com]

Commits

Fixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-23T20:03:41Z",
    "nvd_published_at": "2025-07-14T20:15:28Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nInfinite lines occur when writing during a specific XMP file conversion command\n### Details\n```\n#0  GetXmpNumeratorAndDenominator (denominator=\u003coptimized out\u003e, numerator=\u003coptimized out\u003e, value=\u003coptimized out\u003e) at MagickCore/profile.c:2578\n#1  GetXmpNumeratorAndDenominator (denominator=\u003csynthetic pointer\u003e, numerator=\u003csynthetic pointer\u003e, value=720000000000000) at MagickCore/profile.c:2564\n#2  SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605\n#3  0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651\n#4  0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288\n#5  0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=\u003coptimized out\u003e, images@entry=0x555555bb9ea0, filename=\u003coptimized out\u003e, exception=0x555555b7bea0) at MagickCore/constitute.c:1575\n#6  0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe \"-write\", arg1n=arg1n@entry=0x7fffffffe2c7 \"a.mng\", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993\n#7  0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe \"-write\") at MagickWand/operation.c:5473\n#8  0x00005555559224aa in ProcessCommandOptions (cli_wand=cli_wand@entry=0x555555b85790, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, index=index@entry=1) at MagickWand/magick-cli.c:758\n#9  0x000055555592276d in MagickImageCommand (image_info=image_info@entry=0x555555b824a0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=metadata@entry=0x7fffffffbc10, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:1392\n#10 0x00005555559216a0 in MagickCommandGenesis (image_info=image_info@entry=0x555555b824a0, command=command@entry=0x555555922640 \u003cMagickImageCommand\u003e, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=0x0, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:177\n#11 0x000055555559f76b in MagickMain (argc=3, argv=0x7fffffffdfa8) at utilities/magick.c:162\n#12 0x00007ffff700fd90 in __libc_start_call_main (main=main@entry=0x55555559aec0 \u003cmain\u003e, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58\n#13 0x00007ffff700fe40 in __libc_start_main_impl (main=0x55555559aec0 \u003cmain\u003e, argc=3, argv=0x7fffffffdfa8, init=\u003coptimized out\u003e, fini=\u003coptimized out\u003e, rtld_fini=\u003coptimized out\u003e, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392\n#14 0x000055555559f535 in _start ()\n```\n```\nstatic void GetXmpNumeratorAndDenominator(double value,\n  unsigned long *numerator,unsigned long *denominator)\n{\n  double\n    df;\n\n  *numerator=0;\n  *denominator=1;\n  if (value \u003c= MagickEpsilon)\n    return;\n  *numerator=1;\n  df=1.0;\n  while(fabs(df - value) \u003e MagickEpsilon)\n  {\n    if (df \u003c value)\n      (*numerator)++;\n    else\n      {\n        (*denominator)++;\n        *numerator=(unsigned long) (value*(*denominator));\n      }\n    df=*numerator/(double)*denominator;\n  }\n}\n```\nIn this code, the loop `while(fabs(df - value) \u003e MagickEpsilon)` keeps repeating endlessly.\n\n### PoC\n`magick hang a.mng`\nhttps://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing\n\n### Impact\nXMP profile write triggers hang due to unbounded loop\n\n\n### credits\n**Team Pay1oad DVE** \n\n**Reporter** :  **Shinyoung Won** (with contributions from **WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae**, **Kyusang Han, JaeHun Gou**)\n\n**yosimich(@yosiimich**) **Shinyoung Won** of SSA Lab\n\ne-mail : [yosimich123@gmail.com]\n\n**Woojin Jeon**\n\nGtihub : brainoverflow\n\ne-mail : [root@brainoverflow.kr]\n\n**WooJin Park**\n\nGitHub : jin-156\n\ne-mail : [1203kids@gmail.com]\n\n**Who4mI(@GAP-dev) Lee DongHa of SSA Lab**\n\nGithub: GAP-dev\n\ne-mail : [ceo@zeropointer.co.kr]\n\n**JungWoo Park**\n\nGithub : JungWooJJING\n\ne-mail : [cuby5577@gmail.com]\n\n**Juwon Chae** \n\nGithub : I_mho\n\ne-mail : [wndnjs4698@naver.com]\n\n**Kyusang Han**\n\nGithub : T1deSEC\n\ne-mail : [hksjoe0081@gmail.com]\n\n**JaeHun Gou**\n\nGithub : P2GONE\n\ne-mail : [charly20@naver.com]\n\n### Commits\nFixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26",
  "id": "GHSA-vmhh-8rxq-fp9g",
  "modified": "2025-07-23T20:03:42Z",
  "published": "2025-07-23T20:03:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick has XMP profile write that triggers hang due to unbounded loop"
}

GHSA-VPP4-H7GV-G249

Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 15:30
VLAI
Details

DLMS/COSEM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6536"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T07:16:40Z",
    "severity": "MODERATE"
  },
  "details": "DLMS/COSEM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4",
  "id": "GHSA-vpp4-h7gv-g249",
  "modified": "2026-04-30T15:30:39Z",
  "published": "2026-04-30T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6536"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/21065"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/work_items/21065"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2026-25.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPR2-5GXQ-HJC6

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2025-04-20 03:49
VLAI
Details

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-16944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-25T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a \u0027.\u0027 character signifying the end of the content, related to the bdat_getc function.",
  "id": "GHSA-vpr2-5gxq-hjc6",
  "modified": "2025-04-20T03:49:05Z",
  "published": "2022-05-13T01:10:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16944"
    },
    {
      "type": "WEB",
      "url": "https://bugs.exim.org/show_bug.cgi?id=2201"
    },
    {
      "type": "WEB",
      "url": "https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-4053"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43184"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/11/25/1"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/11/25/2"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/11/25/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/04/7"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039873"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.