VYPR

CWE-407

Inefficient Algorithmic Complexity

ClassIncompleteLikelihood: Low

Description

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (67)

page 1 of 4
  • CVE-2026-41850HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to…

  • CVE-2026-8889HigJun 3, 2026
    risk 0.49cvss 7.5epss 0.00

    Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).

  • CVE-2025-67841HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue.

  • CVE-2026-31937HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.

  • CVE-2026-31934HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, there is a quadratic complexity issue when searching for URLs in mime encoded messages over SMTP leading to a performance impact. This issue has been patched in version 8.0.4.

  • CVE-2026-31933HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow down, affecting performance in IDS mode. This issue has been patched in versions 7.0.15 and 8.0.4.

  • CVE-2026-31932HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.

  • CVE-2025-27209HigJul 18, 2025
    risk 0.49cvss 7.5epss 0.01

    The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate…

  • CVE-2018-12558HigJun 20, 2018
    risk 0.49cvss 7.5epss 0.03

    The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").

  • CVE-2017-11343HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.01

    Due to an incomplete fix for CVE-2012-6125, all versions of CHICKEN Scheme up to and including 4.12.0 are vulnerable to an algorithmic complexity attack. An attacker can provide crafted input which, when inserted into the symbol table, will result in O(n) lookup time.

  • CVE-2016-10396HigJul 6, 2017
    risk 0.49cvss 7.5epss 0.03

    The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable computational-complexity attack when parsing and storing ISAKMP fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint by repeatedly sending ISAKMP…

  • CVE-2023-46136HigOct 25, 2023
    risk 0.45cvss 8.0epss 0.01

    Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes…

  • CVE-2026-42504HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.01

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-44378HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded…

  • CVE-2026-48959HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19…

  • CVE-2026-41292HigMay 20, 2026
    risk 0.42cvss 7.5epss 0.00

    NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and…

  • CVE-2026-42304HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can…

  • CVE-2026-42245HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send…

  • CVE-2026-43967HigMay 8, 2026
    risk 0.42cvss 7.5epss 0.01

    Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for…

  • CVE-2026-40476HigApr 17, 2026
    risk 0.42cvss 7.5epss 0.00

    graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields,…