Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1060 vulnerabilities reference this CWE, most recent first.

GHSA-97FR-XPPM-59WR

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2025-04-20 03:42
VLAI
Details

ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (infinite loop or crash) by pointing the key file at the log file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-7850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-07T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (infinite loop or crash) by pointing the key file at the log file.",
  "id": "GHSA-97fr-xppm-59wr",
  "modified": "2025-04-20T03:42:20Z",
  "published": "2022-05-13T01:25:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7850"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1274258"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201607-15"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20171004-0001"
    },
    {
      "type": "WEB",
      "url": "http://support.ntp.org/bin/view/Main/NtpBug2917"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2015/dsa-3388"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/77279"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1033951"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97P8-G29R-232J

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12
VLAI
Details

In FFmpeg 2.4 and 3.3.3, the read_data function in libavformat/hls.c does not restrict reload attempts for an insufficient list, which allows remote attackers to cause a denial of service (infinite loop).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-31T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In FFmpeg 2.4 and 3.3.3, the read_data function in libavformat/hls.c does not restrict reload attempts for an insufficient list, which allows remote attackers to cause a denial of service (infinite loop).",
  "id": "GHSA-97p8-g29r-232j",
  "modified": "2022-05-13T01:12:17Z",
  "published": "2022-05-13T01:12:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/7ba100d3e6e8b1e5d5342feb960a7f081d6e15af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/7ec414892ddcad88313848494b6fc5f437c9ca4a"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00041.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3996"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100629"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98G5-6P85-3W3C

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

In the ihevcd_parse_slice_header function of ihevcd_parse_slice_header.c a slice address of zero after the first slice could result in an infinite loop. This could lead to a remote denial of service of a critical system process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-64380202.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-12T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "In the ihevcd_parse_slice_header function of ihevcd_parse_slice_header.c a slice address of zero after the first slice could result in an infinite loop. This could lead to a remote denial of service of a critical system process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-64380202.",
  "id": "GHSA-98g5-6p85-3w3c",
  "modified": "2022-05-13T01:43:05Z",
  "published": "2022-05-13T01:43:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13192"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-01-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102414"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040106"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98W5-63H7-29Q8

Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-05-01 03:30
VLAI
Details

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T02:15:09Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
  "id": "GHSA-98w5-63h7-29q8",
  "modified": "2024-05-01T03:30:30Z",
  "published": "2023-07-13T03:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
    },
    {
      "type": "WEB",
      "url": "https://codereview.qt-project.org/c/qt/qtbase/+/488960"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5C3NYVJ73ITE6HUOVVHBUAGORVEJRHO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEGQ6DFTL2BEJMHCD5FJGI6XLWQI7UEA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFZORZYCMUZZFIOEZICJ7VH2BZIGY3HV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F5C3NYVJ73ITE6HUOVVHBUAGORVEJRHO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEGQ6DFTL2BEJMHCD5FJGI6XLWQI7UEA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFZORZYCMUZZFIOEZICJ7VH2BZIGY3HV"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-996Q-PR4M-CVGQ

Vulnerability from github – Published: 2026-02-18 22:40 – Updated: 2026-02-23 22:20
VLAI
Summary
pypdf has a possible infinite loop when processing TreeObject
Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3645.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pypdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:40:49Z",
    "nvd_published_at": "2026-02-20T22:16:28Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a `TreeObject`, for example as part of outlines.\n\n### Patches\n\nThis has been fixed in [pypdf==6.7.1](https://github.com/py-pdf/pypdf/releases/tag/6.7.1).\n\n### Workarounds\n\nIf you cannot upgrade yet, consider applying the changes from PR [#3645](https://github.com/py-pdf/pypdf/pull/3645).",
  "id": "GHSA-996q-pr4m-cvgq",
  "modified": "2026-02-23T22:20:39Z",
  "published": "2026-02-18T22:40:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27024"
    },
    {
      "type": "WEB",
      "url": "https://github.com/py-pdf/pypdf/pull/3645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/py-pdf/pypdf/commit/bd2f6d052fe5941e85e37082c2a43453d48d1295"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/py-pdf/pypdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pypdf has a possible infinite loop when processing TreeObject"
}

GHSA-99HP-8RPJ-7HMJ

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-08-01 15:31
VLAI
Details

An issue in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) when an empty array is processed with oneflow.tensordot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T19:15:57Z",
    "severity": "HIGH"
  },
  "details": "An issue in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) when an empty array is processed with oneflow.tensordot.",
  "id": "GHSA-99hp-8rpj-7hmj",
  "modified": "2024-08-01T15:31:47Z",
  "published": "2024-06-06T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36732"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Redmept1on/3feef7639b2bc7891d0cfda6d932adfd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CJV-93G7-C6MV

Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-06-30 15:43
VLAI
Summary
Loop with Unreachable Exit Condition in Jenkins
Details

A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.138.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.138.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.153"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.140"
            },
            {
              "fixed": "2.154"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-30T15:43:19Z",
    "nvd_published_at": "2018-12-10T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.",
  "id": "GHSA-9cjv-93g7-c6mv",
  "modified": "2022-06-30T15:43:19Z",
  "published": "2022-05-13T01:48:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000864"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/73afa0ca786a87f05b5433e2e38f863826fcad17"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2019:0024"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1193"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106176"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Loop with Unreachable Exit Condition in Jenkins"
}

GHSA-9CPC-MH5G-732X

Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30
VLAI
Details

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T16:15:24Z",
    "severity": "HIGH"
  },
  "details": "An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.",
  "id": "GHSA-9cpc-mh5g-732x",
  "modified": "2024-11-12T18:30:56Z",
  "published": "2024-11-12T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50321"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-Multiple-CVEs-Q4-2024-Release"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CV7-3MF5-C22H

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

In ImageMagick 7.0.4-9, an infinite loop can occur because of a floating-point rounding error in some of the color algorithms. This affects ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-10T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "In ImageMagick 7.0.4-9, an infinite loop can occur because of a floating-point rounding error in some of the color algorithms. This affects ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv.",
  "id": "GHSA-9cv7-3mf5-c22h",
  "modified": "2022-05-13T01:47:03Z",
  "published": "2022-05-13T01:47:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7619"
    },
    {
      "type": "WEB",
      "url": "https://www.imagemagick.org/discourse-server/viewtopic.php?f=3\u0026t=31506"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3863"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98689"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F4V-5R6J-67J4

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2025-04-20 03:33
VLAI
Details

In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a Netscaler file parser infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by changing the restrictions on file size.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-04T03:59:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a Netscaler file parser infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by changing the restrictions on file size.",
  "id": "GHSA-9f4v-5r6j-67j4",
  "modified": "2025-04-20T03:33:38Z",
  "published": "2022-05-13T01:46:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6467"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12083"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=284ad58d288722a8725401967bff0c4455488f0c"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=284ad58d288722a8725401967bff0c4455488f0c"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2017-11.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3811"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96561"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.