CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1060 vulnerabilities reference this CWE, most recent first.
GHSA-3VPR-MHGF-FGJV
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-04-20 03:38The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE types when the x509 plugin is enabled, which allows remote attackers to cause a denial of service (infinite loop) via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-9023"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-08T16:29:00Z",
"severity": "HIGH"
},
"details": "The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE types when the x509 plugin is enabled, which allows remote attackers to cause a denial of service (infinite loop) via a crafted certificate.",
"id": "GHSA-3vpr-mhgf-fgjv",
"modified": "2025-04-20T03:38:42Z",
"published": "2022-05-13T01:47:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9023"
},
{
"type": "WEB",
"url": "https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9023%29.html"
},
{
"type": "WEB",
"url": "https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9023).html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3866"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98756"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3301-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3VQ9-9J8H-QHV2
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 09:30RPKI-Router protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
{
"affected": [],
"aliases": [
"CVE-2026-6522"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T07:16:39Z",
"severity": "MODERATE"
},
"details": "RPKI-Router protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
"id": "GHSA-3vq9-9j8h-qhv2",
"modified": "2026-04-30T09:30:24Z",
"published": "2026-04-30T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6522"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/work_items/21186"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2026-42.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3W69-J4HP-RVH4
Vulnerability from github – Published: 2025-04-15 15:30 – Updated: 2025-08-20 09:30This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite loop in the "inbox" endpoint when receiving crafted ActivityPub activities.
{
"affected": [],
"aliases": [
"CVE-2025-32947"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T15:16:09Z",
"severity": "HIGH"
},
"details": "This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite loop in the \"inbox\" endpoint when\u00a0receiving crafted ActivityPub activities.",
"id": "GHSA-3w69-j4hp-rvh4",
"modified": "2025-08-20T09:30:38Z",
"published": "2025-04-15T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32947"
},
{
"type": "WEB",
"url": "https://github.com/Chocobozzz/PeerTube/commit/76226d85685220db1495025300eca784d0336f7d"
},
{
"type": "WEB",
"url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/peertube-activitypub-crawl-dos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3WR5-MP77-P74F
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2025-04-20 03:41A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after four consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop."
{
"affected": [],
"aliases": [
"CVE-2017-11626"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-25T23:29:00Z",
"severity": "MODERATE"
},
"details": "A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after four consecutive calls to QPDFObjectHandle::parseInternal, aka an \"infinite loop.\"",
"id": "GHSA-3wr5-mp77-p74f",
"modified": "2025-04-20T03:41:28Z",
"published": "2022-05-13T01:42:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11626"
},
{
"type": "WEB",
"url": "https://github.com/qpdf/qpdf/issues/119"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3638-1"
},
{
"type": "WEB",
"url": "http://somevulnsofadlab.blogspot.jp/2017/07/qpdfan-infinite-loop-in-libqpdf_65.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3WWW-Q54H-9529
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.
{
"affected": [],
"aliases": [
"CVE-2017-15835"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-07T14:29:00Z",
"severity": "MODERATE"
},
"details": "In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.",
"id": "GHSA-3www-q54h-9529",
"modified": "2022-05-13T01:44:01Z",
"published": "2022-05-13T01:44:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15835"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2018-11-01#qualcomm-components"
},
{
"type": "WEB",
"url": "https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3X7H-5HFR-HVJM
Vulnerability from github – Published: 2018-10-19 16:54 – Updated: 2021-08-31 21:36It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-2670"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:56:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.",
"id": "GHSA-3x7h-5hfr-hvjm",
"modified": "2021-08-31T21:36:39Z",
"published": "2018-10-19T16:54:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2670"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3x7h-5hfr-hvjm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Moderate severity vulnerability that affects io.undertow:undertow-core"
}
GHSA-3XPW-25QV-R984
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24Integer overflow in the SyncImageProfiles function in profile.c in ImageMagick 6.7.5-8 and earlier allows remote attackers to cause a denial of service (infinite loop) via crafted IOP tag offsets in the IFD in an image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0248.
{
"affected": [],
"aliases": [
"CVE-2012-1186"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-06-05T22:55:00Z",
"severity": "MODERATE"
},
"details": "Integer overflow in the SyncImageProfiles function in profile.c in ImageMagick 6.7.5-8 and earlier allows remote attackers to cause a denial of service (infinite loop) via crafted IOP tag offsets in the IFD in an image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0248.",
"id": "GHSA-3xpw-25qv-r984",
"modified": "2022-05-13T01:24:52Z",
"published": "2022-05-13T01:24:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1186"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1186"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76139"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2012-06/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/47926"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48974"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/49043"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/49317"
},
{
"type": "WEB",
"url": "http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-1435-1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2462"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/03/19/5"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/80555"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/51957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-433P-JX86-Q7VW
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49The function wav_read in libwav.c in libwav through 2017-04-20 has an infinite loop.
{
"affected": [],
"aliases": [
"CVE-2018-14051"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-13T16:29:00Z",
"severity": "HIGH"
},
"details": "The function wav_read in libwav.c in libwav through 2017-04-20 has an infinite loop.",
"id": "GHSA-433p-jx86-q7vw",
"modified": "2022-05-13T01:49:54Z",
"published": "2022-05-13T01:49:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14051"
},
{
"type": "WEB",
"url": "https://github.com/marc-q/libwav/issues/21"
},
{
"type": "WEB",
"url": "https://github.com/fouzhe/security/tree/master/libwav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-43MH-3PGG-2XJC
Vulnerability from github – Published: 2026-01-27 09:30 – Updated: 2026-01-27 09:30Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embedded/security modules). This vulnerability is associated with program files bn_lib.C.
This issue affects lede: through r25.10.1.
{
"affected": [],
"aliases": [
"CVE-2026-24803"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-27T09:15:50Z",
"severity": "CRITICAL"
},
"details": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embedded/security modules). This vulnerability is associated with program files bn_lib.C.\n\nThis issue affects lede: through r25.10.1.",
"id": "GHSA-43mh-3pgg-2xjc",
"modified": "2026-01-27T09:30:30Z",
"published": "2026-01-27T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24803"
},
{
"type": "WEB",
"url": "https://github.com/coolsnowwolf/lede/pull/13346"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-43RM-FV4G-CMJ8
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-06-08 00:00A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.
{
"affected": [],
"aliases": [
"CVE-2021-3468"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-02T16:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.",
"id": "GHSA-43rm-fv4g-cmj8",
"modified": "2022-06-08T00:00:32Z",
"published": "2022-05-24T19:03:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3468"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939614"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00009.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00028.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.