CWE-834
Excessive Iteration
Description
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Hierarchy (View 1000)
CVEs mapped to this weakness (65)
page 3 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-5252 | Med | 0.35 | 5.3 | 0.01 | Jan 5, 2018 | libimageworsener.a in ImageWorsener 1.3.2, when libjpeg 8d is used, has a large loop in the get_raw_sample_int function in imagew-main.c. | ||
| CVE-2026-45680 | Med | 0.31 | 5.9 | 0.00 | Jun 2, 2026 | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very… | ||
| CVE-2026-34043 | Med | 0.31 | 5.9 | 0.00 | Mar 31, 2026 | Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from… | ||
| CVE-2016-7421 | Med | 0.29 | 4.4 | 0.00 | Dec 10, 2016 | The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size. | ||
| CVE-2026-41168 | Med | 0.27 | 5.3 | 0.00 | Apr 22, 2026 | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong… | ||
| CVE-2026-40347 | Med | 0.27 | 5.3 | 0.00 | Apr 18, 2026 | Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the… | ||
| CVE-2024-4603 | Med | 0.27 | 5.3 | 0.01 | May 16, 2024 | Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or… | ||
| CVE-2026-48156 | Low | 0.14 | 3.3 | 0.00 | May 28, 2026 | pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in… | ||
| CVE-2026-27025 | 0.00 | — | 0.00 | Feb 20, 2026 | pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for… | |||
| CVE-2025-62707 | 0.00 | — | 0.00 | Oct 22, 2025 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This… | |||
| CVE-2025-56571 | 0.00 | — | 0.00 | Sep 30, 2025 | Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes. | |||
| CVE-2024-25144 | 0.00 | — | 0.01 | Feb 8, 2024 | The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated… | |||
| CVE-2023-49316 | — | 0.00 | — | 0.01 | Nov 27, 2023 | In Math/BinaryField.php in phpseclib 3 before 3.0.34, excessively large degrees can lead to a denial of service. | ||
| CVE-2023-4043 | — | 0.00 | — | 0.01 | Nov 3, 2023 | In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to… | ||
| CVE-2023-29407 | — | 0.00 | — | 0.01 | Aug 2, 2023 | A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero. | ||
| CVE-2023-38200 | 0.00 | — | 0.01 | Jul 24, 2023 | A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections. | |||
| CVE-2023-26513 | 0.00 | — | 0.01 | Mar 20, 2023 | Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2. | |||
| CVE-2022-3616 | 0.00 | — | 0.00 | Oct 28, 2022 | Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya… | |||
| CVE-2022-36083 | 0.00 | — | 0.01 | Sep 7, 2022 | JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2… | |||
| CVE-2021-39204 | 0.00 | — | 0.02 | Sep 9, 2021 | Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS… |
- risk 0.35cvss 5.3epss 0.01
libimageworsener.a in ImageWorsener 1.3.2, when libjpeg 8d is used, has a large loop in the get_raw_sample_int function in imagew-main.c.
- risk 0.31cvss 5.9epss 0.00
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very…
- risk 0.31cvss 5.9epss 0.00
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from…
- risk 0.29cvss 4.4epss 0.00
The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.
- risk 0.27cvss 5.3epss 0.00
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong…
- risk 0.27cvss 5.3epss 0.00
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the…
- risk 0.27cvss 5.3epss 0.01
Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or…
- risk 0.14cvss 3.3epss 0.00
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in…
- CVE-2026-27025Feb 20, 2026risk 0.00cvss —epss 0.00
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for…
- CVE-2025-62707Oct 22, 2025risk 0.00cvss —epss 0.00
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This…
- CVE-2025-56571Sep 30, 2025risk 0.00cvss —epss 0.00
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.
- CVE-2024-25144Feb 8, 2024risk 0.00cvss —epss 0.01
The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated…
- CVE-2023-49316Nov 27, 2023risk 0.00cvss —epss 0.01
In Math/BinaryField.php in phpseclib 3 before 3.0.34, excessively large degrees can lead to a denial of service.
- CVE-2023-4043Nov 3, 2023risk 0.00cvss —epss 0.01
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to…
- CVE-2023-29407Aug 2, 2023risk 0.00cvss —epss 0.01
A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.
- CVE-2023-38200Jul 24, 2023risk 0.00cvss —epss 0.01
A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.
- CVE-2023-26513Mar 20, 2023risk 0.00cvss —epss 0.01
Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.
- CVE-2022-3616Oct 28, 2022risk 0.00cvss —epss 0.00
Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya…
- CVE-2022-36083Sep 7, 2022risk 0.00cvss —epss 0.01
JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2…
- CVE-2021-39204Sep 9, 2021risk 0.00cvss —epss 0.02
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS…