CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1060 vulnerabilities reference this CWE, most recent first.
GHSA-7MXV-PR28-272F
Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2022-04-30 00:02In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and application hang in the get_fileinfo function (lrzip.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.
{
"affected": [],
"aliases": [
"CVE-2018-5786"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-19T08:29:00Z",
"severity": "MODERATE"
},
"details": "In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and application hang in the get_fileinfo function (lrzip.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.",
"id": "GHSA-7mxv-pr28-272f",
"modified": "2022-04-30T00:02:20Z",
"published": "2022-04-30T00:02:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5786"
},
{
"type": "WEB",
"url": "https://github.com/ckolivas/lrzip/issues/91"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00012.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5145"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7P4W-P3XM-VGFQ
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53In PoDoFo 0.9.5, there exists an infinite loop vulnerability in PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may result in stack overflow. Remote attackers could leverage this vulnerability to cause a denial-of-service or possibly unspecified other impact via a crafted pdf file.
{
"affected": [],
"aliases": [
"CVE-2018-8002"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-09T19:29:00Z",
"severity": "HIGH"
},
"details": "In PoDoFo 0.9.5, there exists an infinite loop vulnerability in PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may result in stack overflow. Remote attackers could leverage this vulnerability to cause a denial-of-service or possibly unspecified other impact via a crafted pdf file.",
"id": "GHSA-7p4w-p3xm-vgfq",
"modified": "2022-05-13T01:53:28Z",
"published": "2022-05-13T01:53:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8002"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1548930"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44946"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7PC8-95P7-87CW
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.
{
"affected": [],
"aliases": [
"CVE-2016-8910"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-11-04T21:59:00Z",
"severity": "MODERATE"
},
"details": "The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.",
"id": "GHSA-7pc8-95p7-87cw",
"modified": "2022-05-13T01:07:30Z",
"published": "2022-05-13T01:07:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8910"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2392"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2408"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-8910"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1388046"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg05495.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201611-11"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/10/24/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/10/24/5"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93844"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7PRR-P9GF-R8P8
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 09:30MBIM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
{
"affected": [],
"aliases": [
"CVE-2026-6519"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T07:16:39Z",
"severity": "MODERATE"
},
"details": "MBIM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
"id": "GHSA-7prr-p9gf-r8p8",
"modified": "2026-04-30T09:30:24Z",
"published": "2026-04-30T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6519"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/work_items/21184"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2026-41.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7QF2-G97R-CH8V
Vulnerability from github – Published: 2026-04-13 06:30 – Updated: 2026-04-13 06:30Stack overflow vulnerability in the media platform. Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2026-34852"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T04:16:11Z",
"severity": "MODERATE"
},
"details": "Stack overflow vulnerability in the media platform.\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-7qf2-g97r-ch8v",
"modified": "2026-04-13T06:30:29Z",
"published": "2026-04-13T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34852"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/4"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/4"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinwearables/2026/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7R7M-5H27-29HP
Vulnerability from github – Published: 2021-06-08 18:48 – Updated: 2024-10-11 20:41An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pillow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-28676"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-03T21:46:13Z",
"nvd_published_at": "2021-06-02T16:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.",
"id": "GHSA-7r7m-5h27-29hp",
"modified": "2024-10-11T20:41:37Z",
"published": "2021-06-08T18:48:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28676"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/pull/5377"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7r7m-5h27-29hp"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-92.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-pillow/Pillow"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"
},
{
"type": "WEB",
"url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Potential infinite loop in Pillow"
}
GHSA-7RFH-F9F4-M45F
Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack.
{
"affected": [],
"aliases": [
"CVE-2018-16646"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-06T23:29:00Z",
"severity": "MODERATE"
},
"details": "In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack.",
"id": "GHSA-7rfh-f9f4-m45f",
"modified": "2022-05-13T01:25:12Z",
"published": "2022-05-13T01:25:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16646"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2022"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1622951"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00040.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00004.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00018.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3837-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3837-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7V6R-J8W7-V48J
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2022-05-13 01:46The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
{
"affected": [],
"aliases": [
"CVE-2017-6214"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-23T17:59:00Z",
"severity": "HIGH"
},
"details": "The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.",
"id": "GHSA-7v6r-j8w7-v48j",
"modified": "2022-05-13T01:46:26Z",
"published": "2022-05-13T01:46:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6214"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/ccf7abb93af09ad0868ae9033d1ca8108bdaec82"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1372"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1615"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1616"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1647"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-09-01"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3804"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96421"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037897"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7VGW-QF5J-7533
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2022-06-03 00:01Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service. This is related to zipheadio.h:readUint32() and zipfile.cpp:Zipfile::Zipfile().
{
"affected": [],
"aliases": [
"CVE-2019-13453"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-17T15:15:00Z",
"severity": "MODERATE"
},
"details": "Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service. This is related to zipheadio.h:readUint32() and zipfile.cpp:Zipfile::Zipfile().",
"id": "GHSA-7vgw-qf5j-7533",
"modified": "2022-06-03T00:01:41Z",
"published": "2022-05-24T16:50:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13453"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00041.html"
},
{
"type": "WEB",
"url": "https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-2-of-3"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/109282"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7W3M-9PFQ-8M82
Vulnerability from github – Published: 2025-03-04 03:31 – Updated: 2025-04-10 21:31In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2025-1695"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T01:15:10Z",
"severity": "MODERATE"
},
"details": "In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). \u00a0There is no control plane exposure; this is a data plane issue only. \u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-7w3m-9pfq-8m82",
"modified": "2025-04-10T21:31:07Z",
"published": "2025-03-04T03:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1695"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000149959"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.