Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-H36C-3666-H489

Vulnerability from github – Published: 2026-06-25 21:49 – Updated: 2026-06-25 21:50
VLAI
Summary
ImageMagick Vulnerable to Stack Overflow in its MVG Decoder
Details

A crafted MVG file could result in a stack overflow due to a missing depth or visited-set check.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T21:49:59Z",
    "nvd_published_at": "2026-06-10T23:16:49Z",
    "severity": "MODERATE"
  },
  "details": "A crafted MVG file could result in a stack overflow due to a missing depth or visited-set check.",
  "id": "GHSA-h36c-3666-h489",
  "modified": "2026-06-25T21:50:00Z",
  "published": "2026-06-25T21:49:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h36c-3666-h489"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48734"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.14.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick Vulnerable to Stack Overflow in its MVG Decoder"
}

GHSA-H3QM-JRRF-CGJ3

Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2023-02-09 20:23
VLAI
Summary
graphql-go has infinite recursion in the type definition parser
Details

graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/graphql-go/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-10T15:43:18Z",
    "nvd_published_at": "2022-08-01T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.",
  "id": "GHSA-h3qm-jrrf-cgj3",
  "modified": "2023-02-09T20:23:23Z",
  "published": "2022-08-02T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphql-go/graphql/issues/637"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphql-go/graphql/pull/642"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphql-go/graphql/pull/642/commits/4188bd5b3877f7badb951b421cf66e0af2eacb22"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/graphql-go/graphql"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0942"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "graphql-go has infinite recursion in the type definition parser"
}

GHSA-H46W-FFVP-4PW5

Vulnerability from github – Published: 2026-03-16 18:32 – Updated: 2026-06-04 21:31
VLAI
Details

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-16T18:16:10Z",
    "severity": "MODERATE"
  },
  "details": "When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.",
  "id": "GHSA-h46w-ffvp-4pw5",
  "modified": "2026-06-04T21:31:19Z",
  "published": "2026-03-16T18:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4224"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/issues/145986"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/145987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768"
    },
    {
      "type": "WEB",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/16/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H536-VFR2-H6PW

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-25T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.",
  "id": "GHSA-h536-vfr2-h6pw",
  "modified": "2022-05-13T01:23:02Z",
  "published": "2022-05-13T01:23:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9144"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Exiv2/exiv2/issues/712"
    },
    {
      "type": "WEB",
      "url": "https://research.loginsoft.com/bugs/uncontrolled-recursion-loop-in-exiv2anonymous-namespacebigtiffimageprintifd-exiv2-0-27"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107161"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H557-5H69-JF25

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-07 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

perf: Improve missing SIGTRAP checking

To catch missing SIGTRAP we employ a WARN in __perf_event_overflow(), which fires if pending_sigtrap was already set: returning to user space without consuming pending_sigtrap, and then having the event fire again would re-enter the kernel and trigger the WARN.

This, however, seemed to miss the case where some events not associated with progress in the user space task can fire and the interrupt handler runs before the IRQ work meant to consume pending_sigtrap (and generate the SIGTRAP).

syzbot gifted us this stack trace:

| WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow | Modules linked in: | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313 | <...> | Call Trace: | | perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729 | __run_hrtimer kernel/time/hrtimer.c:1685 [inline] | __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749 | hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 | local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline] | __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113 | sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107 | asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649 | <...> |

In this case, syzbot produced a program with event type PERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer manages to fire again before the IRQ work got a chance to run, all while never having returned to user space.

Improve the WARN to check for real progress in user space: approximate this by storing a 32-bit hash of the current IP into pending_sigtrap, and if an event fires while pending_sigtrap still matches the previous IP, we assume no progress (false negatives are possible given we could return to user space and trigger again on the same IP).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:01Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Improve missing SIGTRAP checking\n\nTo catch missing SIGTRAP we employ a WARN in __perf_event_overflow(),\nwhich fires if pending_sigtrap was already set: returning to user space\nwithout consuming pending_sigtrap, and then having the event fire again\nwould re-enter the kernel and trigger the WARN.\n\nThis, however, seemed to miss the case where some events not associated\nwith progress in the user space task can fire and the interrupt handler\nruns before the IRQ work meant to consume pending_sigtrap (and generate\nthe SIGTRAP).\n\nsyzbot gifted us this stack trace:\n\n | WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow\n | Modules linked in:\n | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0\n | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022\n | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313\n | \u003c...\u003e\n | Call Trace:\n |  \u003cTASK\u003e\n |  perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729\n |  __run_hrtimer kernel/time/hrtimer.c:1685 [inline]\n |  __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749\n |  hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811\n |  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline]\n |  __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113\n |  sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107\n |  asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649\n | \u003c...\u003e\n |  \u003c/TASK\u003e\n\nIn this case, syzbot produced a program with event type\nPERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer\nmanages to fire again before the IRQ work got a chance to run, all while\nnever having returned to user space.\n\nImprove the WARN to check for real progress in user space: approximate\nthis by storing a 32-bit hash of the current IP into pending_sigtrap,\nand if an event fires while pending_sigtrap still matches the previous\nIP, we assume no progress (false negatives are possible given we could\nreturn to user space and trigger again on the same IP).",
  "id": "GHSA-h557-5h69-jf25",
  "modified": "2025-11-07T18:30:25Z",
  "published": "2025-05-01T15:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49782"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35c60b4e8ca76712dd03bafe2598e31578248916"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b09221f1b4944d2866d06ac35e59d7a6f8916c9f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bb88f9695460bec25aa30ba9072595025cf6c8af"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H5HJ-56H4-RWCP

Vulnerability from github – Published: 2026-04-28 12:31 – Updated: 2026-07-09 15:32
VLAI
Details

Uncontrolled Recursion vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-606",
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-28T10:16:03Z",
    "severity": "MODERATE"
  },
  "details": "Uncontrolled Recursion vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.",
  "id": "GHSA-h5hj-56h4-rwcp",
  "modified": "2026-07-09T15:32:01Z",
  "published": "2026-04-28T12:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41606"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:14885"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:21769"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:22347"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:22423"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:23345"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:24539"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36882"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-41606"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463408"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41606.json"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/28/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H85M-6QG2-23FM

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

crypto: hisilicon/qm - increase the memory of local variables

Increase the buffer to prevent stack overflow by fuzz test. The maximum length of the qos configuration buffer is 256 bytes. Currently, the value of the 'val buffer' is only 32 bytes. The sscanf does not check the dest memory length. So the 'val buffer' may stack overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - increase the memory of local variables\n\nIncrease the buffer to prevent stack overflow by fuzz test. The maximum\nlength of the qos configuration buffer is 256 bytes. Currently, the value\nof the \u0027val buffer\u0027 is only 32 bytes. The sscanf does not check the dest\nmemory length. So the \u0027val buffer\u0027 may stack overflow.",
  "id": "GHSA-h85m-6qg2-23fm",
  "modified": "2025-12-11T15:30:30Z",
  "published": "2025-09-18T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50407"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/34c4f8ad45b4ea814c7ecc3f23a2d292959d5a52"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3efe90af4c0c46c58dba1b306de142827153d9c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc521abb6ee4b8f06fdfc52646140dab6a2ed334"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H86H-8PPG-MXMH

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2024-05-20 20:30
VLAI
Summary
golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion
Details

golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "golang.org/x/net"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20210428140749-89ef3d95e781"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-31525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T00:35:49Z",
    "nvd_published_at": "2021-05-27T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.",
  "id": "GHSA-h86h-8ppg-mxmh",
  "modified": "2024-05-20T20:30:58Z",
  "published": "2022-05-24T19:03:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/go/issues/45710"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/golang/go"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/313069"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/45710"
    },
    {
      "type": "WEB",
      "url": "https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0236"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion"
}

GHSA-H8MV-Q3C4-8HW2

Vulnerability from github – Published: 2022-08-20 00:00 – Updated: 2022-08-24 00:00
VLAI
Details

Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121",
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-19T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement.",
  "id": "GHSA-h8mv-q3c4-8hw2",
  "modified": "2022-08-24T00:00:31Z",
  "published": "2022-08-20T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23460"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2022-049_Jsonxx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H9MJ-FGHC-664W

Vulnerability from github – Published: 2017-12-28 22:51 – Updated: 2021-09-14 17:16
VLAI
Summary
Denial of Service in mqtt
Details

Affected versions of mqtt do not properly handle PUBLISH packets returning from the server, leading to a Denial of Service condition.

The vulnerability is completely mitigated if the only connected servers are trusted, guaranteed not to be under the control of a malicious actor.

Proof of Concept

The following is a demonstration of how to generate the malicious packet sequence, but does not include information on handling the initial network connections and MQTT overhead.

var mqttp = require('mqtt-packet');
var packets = [];
for(var i=0; i<=1000;i++){
    packets.push(
        mqttp.generate({
            cmd:'publish',
            topic:Buffer.from('hello'),
            payload:Buffer.from('world'),
            retain: false,
            dup: false, 
            messageId: ++i, 
            qos: 1
        })
    )
}

Recommendation

Update to version 2.15.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mqtt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-10910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:39:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Affected versions of `mqtt` do not properly handle PUBLISH packets returning from the server, leading to a Denial of Service condition.\n\nThe vulnerability is completely mitigated if the only connected servers are trusted, guaranteed not to be under the control of a malicious actor.\n\n## Proof of Concept\n\nThe following is a demonstration of how to generate the malicious packet sequence, but does not include information on handling the initial network connections and MQTT overhead.\n```\nvar mqttp = require(\u0027mqtt-packet\u0027);\nvar packets = [];\nfor(var i=0; i\u003c=1000;i++){\n    packets.push(\n        mqttp.generate({\n            cmd:\u0027publish\u0027,\n            topic:Buffer.from(\u0027hello\u0027),\n            payload:Buffer.from(\u0027world\u0027),\n            retain: false,\n            dup: false, \n            messageId: ++i, \n            qos: 1\n        })\n    )\n}\n\n```\n\n\n## Recommendation\n\nUpdate to version 2.15.0 or later.",
  "id": "GHSA-h9mj-fghc-664w",
  "modified": "2021-09-14T17:16:40Z",
  "published": "2017-12-28T22:51:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mqttjs/MQTT.js/commit/403ba53b838f2d319a0c0505a045fe00239e9923"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-h9mj-fghc-664w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mqttjs/MQTT.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mqttjs/MQTT.js/releases/tag/v2.15.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/security-wg/blob/master/vuln/npm/357.json"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN45494523/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/555"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in mqtt"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.