VYPR

CWE-674

Uncontrolled Recursion

ClassDraft

Description

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-230 · CAPEC-231

CVEs mapped to this weakness (235)

page 7 of 12
  • CVE-2026-47317MedMay 19, 2026
    risk 0.29cvss 5.5epss 0.00

    Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Excessive Allocation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

  • CVE-2026-47309MedMay 19, 2026
    risk 0.29cvss 5.5epss 0.00

    Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Oversized Serialized Data Payloads. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

  • CVE-2026-44777MedMay 11, 2026
    risk 0.29cvss 5.5epss 0.00

    jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.

  • CVE-2026-40612MedMay 11, 2026
    risk 0.29cvss 5.5epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

  • CVE-2026-43080MedMay 6, 2026
    risk 0.29cvss 5.5epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: l2tp: Drop large packets with UDP encap syzbot reported a WARN on my patch series [1]. The actual issue is an overflow of 16-bit UDP length field, and it exists in the upstream code. My series added a debug…

  • CVE-2026-6527MedApr 30, 2026
    risk 0.29cvss 5.5epss 0.00

    ASN.1 PER protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

  • CVE-2026-5409MedApr 30, 2026
    risk 0.29cvss 5.5epss 0.00

    Monero protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

  • CVE-2026-5408MedApr 30, 2026
    risk 0.29cvss 5.5epss 0.00

    BT-DHT protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

  • CVE-2026-5406MedApr 30, 2026
    risk 0.29cvss 5.5epss 0.00

    FC-SWILS protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

  • CVE-2026-5401MedApr 30, 2026
    risk 0.29cvss 5.5epss 0.00

    AFP Spotlight protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

  • CVE-2026-5299MedApr 30, 2026
    risk 0.29cvss 5.5epss 0.00

    ICMPv6 PvD protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

  • CVE-2026-33902MedApr 13, 2026
    risk 0.29cvss 5.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested…

  • CVE-2026-23292MedMar 25, 2026
    risk 0.29cvss 5.5epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). …

  • CVE-2026-23276MedMar 20, 2026
    risk 0.29cvss 5.5epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as…

  • CVE-2023-53513MedOct 1, 2025
    risk 0.29cvss 5.5epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: nbd: fix incomplete validation of ioctl arg We tested and found an alarm caused by nbd_ioctl arg without verification. The UBSAN warning calltrace like below: UBSAN: Undefined behaviour in fs/buffer.c:1709:35…

  • CVE-2025-20025MedAug 12, 2025
    risk 0.29cvss 4.4epss 0.00

    Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable denial of service via local access.

  • CVE-2026-47706MedJun 4, 2026
    risk 0.27cvss 5.3epss 0.00

    Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the…

  • CVE-2026-45205MedMay 14, 2026
    risk 0.27cvss 5.3epss 0.00

    Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0. Users are recommended to…

  • CVE-2026-41606MedApr 28, 2026
    risk 0.27cvss 5.3epss 0.01

    Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

  • CVE-2025-55095MedJan 27, 2026
    risk 0.27cvss 4.2epss 0.00

    The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs…