CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
BaseIncomplete
Description
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (219)
page 11 of 11| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-23221 | Med | 0.28 | 5.4 | 0.00 | Jan 20, 2025 | Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4. | |
| CVE-2026-2739 | Med | 0.27 | 5.3 | 0.00 | Feb 20, 2026 | This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely. | |
| CVE-2026-24802 | Med | 0.27 | — | 0.00 | Jan 27, 2026 | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java. This issue affects jsonrpc4j: through 1.6.0. | |
| CVE-2024-32886 | Med | 0.25 | 4.9 | 0.00 | May 8, 2024 | Vitess is a database clustering system for horizontal scaling of MySQL. When executing the following simple query, the `vtgate` will go into an endless loop that also keeps consuming memory and eventually will run out of memory. This vulnerability is fixed in 19.0.4, 18.0.5, and 17.0.7. | |
| CVE-2025-30187 | Low | 0.24 | 3.7 | 0.00 | Sep 18, 2025 | In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. | |
| CVE-2026-41285 | Med | 0.21 | 4.3 | 0.00 | Apr 21, 2026 | In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_opt_len * 8 - 2" expression with no preceding check for whether nd_opt_len is zero. | |
| CVE-2024-55565 | Med | 0.21 | 4.3 | 0.00 | Dec 9, 2024 | nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. | |
| CVE-2025-42954 | Low | 0.18 | 2.7 | 0.00 | Jul 8, 2025 | SAP NetWeaver Business Warehouse CCAW application allows a privileged attacker to cause a high CPU load by executing a RFC enabled function modules without any input parameters, which results in reduced performance or interrupted operation of the affected resource. This leads to low impact on availability of the application, there is no impact on confidentiality and integrity. | |
| CVE-2011-1002 | 0.05 | — | 0.68 | Feb 22, 2011 | avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty mDNS (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244. | ||
| CVE-2004-0748 | 0.02 | — | 0.19 | Oct 20, 2004 | mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop. | ||
| CVE-2006-6499 | 0.01 | — | 0.14 | Dec 20, 2006 | The js_dtoa function in Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird before 1.5.0.9, and SeaMonkey before 1.0.7 overwrites memory instead of exiting when the floating point precision is reduced, which allows remote attackers to cause a denial of service via any plugins that reduce the precision. | ||
| CVE-2005-2224 | 0.01 | — | 0.09 | Jul 12, 2005 | aspnet_wp.exe in Microsoft ASP.NET web services allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a crafted SOAP message to an RPC/Encoded method. | ||
| CVE-2004-0753 | 0.01 | — | 0.12 | Oct 20, 2004 | The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file. | ||
| CVE-2013-2789 | 0.00 | — | 0.00 | Aug 22, 2013 | The Kepware DNP Master Driver for the KEPServerEX Communications Platform before 5.12.140.0 allows remote attackers to cause a denial of service (master-station infinite loop) via crafted DNP3 packets to TCP port 20000 and allows physically proximate attackers to cause a denial of service (master-station infinite loop) via crafted input over a serial line. | ||
| CVE-2011-2213 | 0.00 | — | 0.00 | Aug 29, 2011 | The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel before 2.6.39.3 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880. | ||
| CVE-2010-3880 | 0.00 | — | 0.00 | Dec 10, 2010 | net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions. | ||
| CVE-2009-2906 | 0.00 | — | 0.00 | Oct 7, 2009 | smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. | ||
| CVE-2009-1270 | 0.00 | — | 0.04 | Apr 8, 2009 | libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted TAR file that causes (1) clamd and (2) clamscan to hang. | ||
| CVE-2005-0851 | 0.00 | — | 0.00 | May 2, 2005 | FileZilla FTP server before 0.9.6, when using MODE Z (zlib compression), allows remote attackers to cause a denial of service (infinite loop) via certain file uploads or directory listings. |