CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1060 vulnerabilities reference this CWE, most recent first.
GHSA-8PP8-7WVW-F67F
Vulnerability from github – Published: 2022-05-13 01:51 – Updated: 2022-05-13 01:51libpff_item_tree_create_node in libpff_item_tree.c in libpff before experimental-20180714 allows attackers to cause a denial of service (infinite recursion) via a crafted file, related to libfdata_tree_get_node_value in libfdata_tree.c.
{
"affected": [],
"aliases": [
"CVE-2018-20348"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-22T00:29:00Z",
"severity": "MODERATE"
},
"details": "libpff_item_tree_create_node in libpff_item_tree.c in libpff before experimental-20180714 allows attackers to cause a denial of service (infinite recursion) via a crafted file, related to libfdata_tree_get_node_value in libfdata_tree.c.",
"id": "GHSA-8pp8-7wvw-f67f",
"modified": "2022-05-13T01:51:00Z",
"published": "2022-05-13T01:51:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20348"
},
{
"type": "WEB",
"url": "https://github.com/libyal/libpff/issues/48"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8PW9-7GV3-535C
Vulnerability from github – Published: 2025-01-21 15:31 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
exfat: fix the infinite loop in exfat_readdir()
If the file system is corrupted so that a cluster is linked to itself in the cluster chain, and there is an unused directory entry in the cluster, 'dentry' will not be incremented, causing condition 'dentry < max_dentries' unable to prevent an infinite loop.
This infinite loop causes s_lock not to be released, and other tasks will hang, such as exfat_sync_fs().
This commit stops traversing the cluster chain when there is unused directory entry in the cluster to avoid this infinite loop.
{
"affected": [],
"aliases": [
"CVE-2024-57940"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T13:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix the infinite loop in exfat_readdir()\n\nIf the file system is corrupted so that a cluster is linked to\nitself in the cluster chain, and there is an unused directory\nentry in the cluster, \u0027dentry\u0027 will not be incremented, causing\ncondition \u0027dentry \u003c max_dentries\u0027 unable to prevent an infinite\nloop.\n\nThis infinite loop causes s_lock not to be released, and other\ntasks will hang, such as exfat_sync_fs().\n\nThis commit stops traversing the cluster chain when there is unused\ndirectory entry in the cluster to avoid this infinite loop.",
"id": "GHSA-8pw9-7gv3-535c",
"modified": "2026-05-12T15:30:44Z",
"published": "2025-01-21T15:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57940"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-503939.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/28c21f0ac5293a4bf19b3e0e32005d6dd31a6c17"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31beabd0f47f8c3ed9965ba861c9e5b252d4920a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d8cfbb8723bd3d3222f360227a1cc15227189ca6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9ea94f5cd117d56e573696d0045ab3044185a15"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc1d7afceb982e8f666e70a582e6b5aa806de063"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fee873761bd978d077d8c55334b4966ac4cb7b59"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8Q6Q-3849-7CM3
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2022-05-13 01:46In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 capture file will cause an infinite loop and memory exhaustion. If the packet size field in a packet header is null, the offset to read from will not advance, causing continuous attempts to read the same zero length packet. This will quickly exhaust all system memory.
{
"affected": [],
"aliases": [
"CVE-2017-6014"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-17T07:59:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 capture file will cause an infinite loop and memory exhaustion. If the packet size field in a packet header is null, the offset to read from will not advance, causing continuous attempts to read the same zero length packet. This will quickly exhaust all system memory.",
"id": "GHSA-8q6q-3849-7cm3",
"modified": "2022-05-13T01:46:24Z",
"published": "2022-05-13T01:46:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6014"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13416"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201706-12"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3811"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96284"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8QPF-FV36-H4R8
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-11-02 00:42A Cron expression form validation could enter infinite loop, potentially resulting in denial of service. The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.138"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1999044"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-02T00:42:37Z",
"nvd_published_at": "2018-08-23T18:29:00Z",
"severity": "MODERATE"
},
"details": "A Cron expression form validation could enter infinite loop, potentially resulting in denial of service. The form validation for cron expressions (e.g. \"Poll SCM\", \"Build periodically\") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.\n",
"id": "GHSA-8qpf-fv36-h4r8",
"modified": "2022-11-02T00:42:37Z",
"published": "2022-05-13T01:50:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999044"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/e5046911c57e60a1d6d8aca9b21bd9093b0f3763"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-08-15/#SECURITY-790"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Infinite Loop in Jenkins Core"
}
GHSA-8QVV-3Q23-2876
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2025-04-20 03:44There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2017-13728"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-29T06:29:00Z",
"severity": "HIGH"
},
"details": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.",
"id": "GHSA-8qvv-3q23-2876",
"modified": "2025-04-20T03:44:00Z",
"published": "2022-05-13T01:09:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13728"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484274"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201804-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R3F-844C-MC37
Vulnerability from github – Published: 2024-03-06 00:31 – Updated: 2024-11-07 19:19The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "google.golang.org/protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.33.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "google.golang.org/protobuf/encoding/protojson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.33.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "google.golang.org/protobuf/internal/encoding/json"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.33.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-24786"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-13T21:01:28Z",
"nvd_published_at": "2024-03-05T23:15:07Z",
"severity": "MODERATE"
},
"details": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.",
"id": "GHSA-8r3f-844c-mc37",
"modified": "2024-11-07T19:19:40Z",
"published": "2024-03-06T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023"
},
{
"type": "PACKAGE",
"url": "https://github.com/protocolbuffers/protobuf-go"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0"
},
{
"type": "WEB",
"url": "https://go.dev/cl/569356"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2611"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240517-0002"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/08/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON"
}
GHSA-8W78-HR8V-FM5G
Vulnerability from github – Published: 2022-05-02 06:21 – Updated: 2022-05-02 06:21Adobe Shockwave Player before 11.5.7.609 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted ATOM size in a .dir (aka Director) file.
{
"affected": [],
"aliases": [
"CVE-2010-1282"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-05-13T17:30:00Z",
"severity": "MODERATE"
},
"details": "Adobe Shockwave Player before 11.5.7.609 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted ATOM size in a .dir (aka Director) file.",
"id": "GHSA-8w78-hr8v-fm5g",
"modified": "2022-05-02T06:21:08Z",
"published": "2022-05-02T06:21:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1282"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7388"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html"
},
{
"type": "WEB",
"url": "http://hi.baidu.com/fs_fx/blog/item/f8de1d18ba8c9b76dbb4bd56.html"
},
{
"type": "WEB",
"url": "http://www.adobe.com/support/security/bulletins/apsb10-12.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/511254/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/40088"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1128"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8WQQ-XRHR-W6MF
Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2022-10-07 18:16perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.
{
"affected": [],
"aliases": [
"CVE-2013-7488"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-07T18:15:00Z",
"severity": "MODERATE"
},
"details": "perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.",
"id": "GHSA-8wqq-xrhr-w6mf",
"modified": "2022-10-07T18:16:21Z",
"published": "2022-05-05T00:29:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7488"
},
{
"type": "WEB",
"url": "https://github.com/gbarr/perl-Convert-ASN1/issues/14"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6V3PJEQOT47ZO77263XPGS3Y3AJROI4X"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ONNQSW4SSKMG5RUEFZJZA5T5R2WXEGQF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8XQW-FXRF-XJ63
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.
{
"affected": [],
"aliases": [
"CVE-2018-18701"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-29T12:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"id": "GHSA-8xqw-fxrf-xj63",
"modified": "2022-05-13T01:27:13Z",
"published": "2022-05-13T01:27:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18701"
},
{
"type": "WEB",
"url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4326-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4336-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-923W-8GR7-5984
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.
{
"affected": [],
"aliases": [
"CVE-2016-4453"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-06-01T22:59:00Z",
"severity": "MODERATE"
},
"details": "The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.",
"id": "GHSA-923w-8gr7-5984",
"modified": "2022-05-13T01:26:35Z",
"published": "2022-05-13T01:26:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4453"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1336650"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg05270.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201609-01"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/05/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/90928"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3047-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3047-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.