CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1052 vulnerabilities reference this CWE, most recent first.
GHSA-333M-Q4JM-QJQ4
Vulnerability from github – Published: 2024-10-21 15:32 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
x86/sgx: Fix deadlock in SGX NUMA node search
When the current node doesn't have an EPC section configured by firmware and all other EPC sections are used up, CPU can get stuck inside the while loop that looks for an available EPC page from remote nodes indefinitely, leading to a soft lockup. Note how nid_of_current will never be equal to nid in that while loop because nid_of_current is not set in sgx_numa_mask.
Also worth mentioning is that it's perfectly fine for the firmware not to setup an EPC section on a node. While setting up an EPC section on each node can enhance performance, it is not a requirement for functionality.
Rework the loop to start and end on a node that has SGX memory. This avoids the deadlock looking for the current SGX-lacking node to show up in the loop when it never will.
{
"affected": [],
"aliases": [
"CVE-2024-49856"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T13:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Fix deadlock in SGX NUMA node search\n\nWhen the current node doesn\u0027t have an EPC section configured by firmware\nand all other EPC sections are used up, CPU can get stuck inside the\nwhile loop that looks for an available EPC page from remote nodes\nindefinitely, leading to a soft lockup. Note how nid_of_current will\nnever be equal to nid in that while loop because nid_of_current is not\nset in sgx_numa_mask.\n\nAlso worth mentioning is that it\u0027s perfectly fine for the firmware not\nto setup an EPC section on a node. While setting up an EPC section on\neach node can enhance performance, it is not a requirement for\nfunctionality.\n\nRework the loop to start and end on *a* node that has SGX memory. This\navoids the deadlock looking for the current SGX-lacking node to show up\nin the loop when it never will.",
"id": "GHSA-333m-q4jm-qjq4",
"modified": "2025-11-04T00:31:39Z",
"published": "2024-10-21T15:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49856"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f89fb4042c08fd143bfc28af08bf6c8a0197eea"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/20c96d0aaabfe361fc2a11c173968dc67feadbbf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/40fb64257dab507d86b5f1f2a62f3669ef0c91a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8132510c915815e6b537ab937d94ed66893bc7b8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c936844010466535bd46ea4ce4656ef17653644"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb2d057539eda67ec7cfc369bf587e6518a9b99d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3448-VFVV-XP9G
Vulnerability from github – Published: 2018-12-26 17:45 – Updated: 2023-09-27 11:10A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tika:tika-parsers"
},
"ranges": [
{
"events": [
{
"introduced": "1.8"
},
{
"fixed": "1.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-17197"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:53:58Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika\u0027s SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.",
"id": "GHSA-3448-vfvv-xp9g",
"modified": "2023-09-27T11:10:06Z",
"published": "2018-12-26T17:45:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17197"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3448-vfvv-xp9g"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/7c021a4ea2037e52e74628e17e8e0e2acab1f447160edc8be0eae6d3@%3Cdev.tika.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106293"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Tika Denial of Service due to Infinite Loop in Tika\u0027s SQLite3Parser"
}
GHSA-345H-R9M2-JR4P
Vulnerability from github – Published: 2026-07-14 18:31 – Updated: 2026-07-14 18:31In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment.
{
"affected": [],
"aliases": [
"CVE-2026-62642"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T16:17:04Z",
"severity": "MODERATE"
},
"details": "In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment.",
"id": "GHSA-345h-r9m2-jr4p",
"modified": "2026-07-14T18:31:56Z",
"published": "2026-07-14T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62642"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be12de1daf84355697ffa89"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/commit/877269c79359d959a94f13c9070cab0f3389c193"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de2bd75b486b04f63c0d38"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/commit/fb952956c6eaf29e963f1a718d028d66e7957ce0"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.17"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.2"
},
{
"type": "WEB",
"url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-35W7-H3V9-8QW4
Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2025-11-04 21:30A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.
{
"affected": [],
"aliases": [
"CVE-2023-43786"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-10T13:15:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.",
"id": "GHSA-35w7-h3v9-8qw4",
"modified": "2025-11-04T21:30:43Z",
"published": "2023-10-10T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43786"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2145"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2973"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-43786"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242253"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63IBRFLQVZSMOAZBZOBKFWJP26ILRAGQ"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231103-0006"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/24/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-362J-4WP6-47GJ
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. With the port to using poll rather than select, exhaustion of file descriptors would cause the server to enter an infinite loop, consuming a large amount of CPU time and denying service to other clients until restarted.
{
"affected": [],
"aliases": [
"CVE-2018-14621"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-30T13:29:00Z",
"severity": "HIGH"
},
"details": "An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. With the port to using poll rather than select, exhaustion of file descriptors would cause the server to enter an infinite loop, consuming a large amount of CPU time and denying service to other clients until restarted.",
"id": "GHSA-362j-4wp6-47gj",
"modified": "2022-05-13T01:34:32Z",
"published": "2022-05-13T01:34:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14621"
},
{
"type": "WEB",
"url": "https://bugzilla.novell.com/show_bug.cgi?id=968175"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14621"
},
{
"type": "WEB",
"url": "http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=fce98161d9815ea016855d9f00274276452c2c4b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-368C-6QH8-76FJ
Vulnerability from github – Published: 2024-06-17 21:31 – Updated: 2024-11-18 16:26A vulnerability has been found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this vulnerability is the function isoffin_process of the file src/filters/isoffin_read.c of the component MP4Box. The manipulation leads to infinite loop. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The identifier of the patch is 20c0f29139a82779b86453ce7f68d0681ec7624c. It is recommended to apply a patch to fix this issue. The identifier VDB-268789 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-6061"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-17T20:15:14Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this vulnerability is the function isoffin_process of the file src/filters/isoffin_read.c of the component MP4Box. The manipulation leads to infinite loop. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The identifier of the patch is 20c0f29139a82779b86453ce7f68d0681ec7624c. It is recommended to apply a patch to fix this issue. The identifier VDB-268789 was assigned to this vulnerability.",
"id": "GHSA-368c-6qh8-76fj",
"modified": "2024-11-18T16:26:44Z",
"published": "2024-06-17T21:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6061"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/2871"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/20c0f29139a82779b86453ce7f68d0681ec7624c"
},
{
"type": "WEB",
"url": "https://github.com/user-attachments/files/15801058/poc1.zip"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.268789"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.268789"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.356308"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-36H2-G4C8-9XCM
Vulnerability from github – Published: 2024-07-08 21:31 – Updated: 2024-08-30 19:56A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to respond to other connections.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aim"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.19.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6227"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-07T20:38:41Z",
"nvd_published_at": "2024-07-08T19:15:10Z",
"severity": "HIGH"
},
"details": "A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to respond to other connections.",
"id": "GHSA-36h2-g4c8-9xcm",
"modified": "2024-08-30T19:56:11Z",
"published": "2024-07-08T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6227"
},
{
"type": "PACKAGE",
"url": "https://github.com/aimhubio/aim"
},
{
"type": "WEB",
"url": "https://github.com/aimhubio/aim/blob/2e7b8aff8dcba9ddd5043dfec88cf2319ba8a87c/aim/sdk/repo.py#L195"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/abcea7c6-bb3b-45e9-aa15-9eb6b224451a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Aim denial of service vulnerability"
}
GHSA-378V-28HJ-76WF
Vulnerability from github – Published: 2026-02-20 06:30 – Updated: 2026-02-24 14:45This affects versions of the package bn.js before 4.12.3 and 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "bn.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.12.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "bn.js"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2739"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-20T21:18:31Z",
"nvd_published_at": "2026-02-20T05:17:53Z",
"severity": "MODERATE"
},
"details": "This affects versions of the package bn.js before 4.12.3 and 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.",
"id": "GHSA-378v-28hj-76wf",
"modified": "2026-02-24T14:45:53Z",
"published": "2026-02-20T06:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2739"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/issues/186"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/issues/316"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/issues/316#issuecomment-3924217358"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/pull/317"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b"
},
{
"type": "WEB",
"url": "https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91"
},
{
"type": "PACKAGE",
"url": "https://github.com/indutny/bn.js"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/releases/tag/v5.2.3"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "bn.js affected by an infinite loop"
}
GHSA-37GX-XXP4-5RGX
Vulnerability from github – Published: 2026-04-14 23:30 – Updated: 2026-04-17 13:19Executive Summary:
Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in EncryptedXml class where an attacker can cause an infinite loop and perform a Denial of Service attack.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/392
CVSS Details
- Version: 3.1
- Severity: High
- Score: 7.5
- Vector: 7.5 CVSS: 3.1AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
- Weakness: CWE-835 CWE-400 CWE-20: Loop with Unreachable Exit Condition ('Infinite Loop') Uncontrolled Resource Consumption Improper Input Validation
Affected Platforms
- Platforms: All
- Architectures: All
Affected Packages
The vulnerability affects any Microsoft .NET project if it uses any of affected packages versions listed below
.NET 10
| Package name | Affected version | Patched version |
|---|---|---|
| System.Security.Cryptography.Xml | >=10.0.0, <=10.0.5 | 10.0.6 |
.NET 9
| Package name | Affected version | Patched version |
|---|---|---|
| System.Security.Cryptography.Xml | >=9.0.0, <=9.0.14 | 9.0.15 |
.NET 8
| Package name | Affected version | Patched version |
|---|---|---|
| System.Security.Cryptography.Xml | >=8.0.0, <=8.0.2 | 8.0.3 |
Advisory FAQ
How do I know if I am affected?
If using a package listed in affected packages, you're exposed to the vulnerability.
How do I fix the issue?
To update the Using the System.Security.Cryptography.xml NuGet package, use one of the following methods:
NuGet Package Manager UI in Visual Studio: - Open your project in Visual Studio. - Right-click on your project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages". - In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from your configured package sources. - Select the package(s) you wish to update. You can choose a specific version from the dropdown or update to the latest available version. - Click the "Update" button.
Using the NuGet Package Manager Console in Visual Studio: - Open your project in Visual Studio. - Navigate to "Tools > NuGet Package Manager > Package Manager Console". - To update a specific package to its latest version, use the following Update-Package command:
Update-Package -Id System.Security.Cryptography.xml
Using the .NET CLI (Command Line Interface): - Open a terminal or command prompt in your project's directory. - To update a specific package to its latest version, use the following add package command:
dotnet add package System.Security.Cryptography.xml
Once you have updated the nuget package reference you must recompile and deploy your application. Additionally we recommend you update your runtime and/or SDKs, but it is not necessary to patch the vulnerability.
Other Information
Reporting Security Issues
If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.
Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
Acknowledgements
Ludvig Pedersen
Revisions
V1.0 (April 14, 2026): Advisory published.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.5"
},
"package": {
"ecosystem": "NuGet",
"name": "System.Security.Cryptography.Xml"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.14"
},
"package": {
"ecosystem": "NuGet",
"name": "System.Security.Cryptography.Xml"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.2"
},
"package": {
"ecosystem": "NuGet",
"name": "System.Security.Cryptography.Xml"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33116"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-400",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T23:30:27Z",
"nvd_published_at": "2026-04-14T18:17:33Z",
"severity": "HIGH"
},
"details": "## Executive Summary: \n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA vulnerability exists in EncryptedXml class where an attacker can cause an infinite loop and perform a Denial of Service attack.\n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/392\n\n## CVSS Details\n\n- **Version:** 3.1\n- **Severity:** High\n- **Score:** 7.5\n- **Vector:** 7.5 CVSS:\u202f3.1AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C\n- **Weakness:** CWE-835 CWE-400 CWE-20: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) Uncontrolled Resource Consumption Improper Input Validation\n\n## Affected Platforms\n\n- **Platforms:** All\n- **Architectures:** All\n\n## \u003ca name=\"affected-packages\"\u003e\u003c/a\u003eAffected Packages\nThe vulnerability affects any Microsoft .NET project if it uses any of affected packages versions listed below\n\n### \u003ca name=\".NET 10\"\u003e\u003c/a\u003e.NET 10\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[System.Security.Cryptography.Xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | \u003e=10.0.0, \u003c=10.0.5 | 10.0.6\n\n### \u003ca name=\".NET 9\"\u003e\u003c/a\u003e.NET 9\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[System.Security.Cryptography.Xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | \u003e=9.0.0, \u003c=9.0.14 | 9.0.15\n\n### \u003ca name=\".NET 8\"\u003e\u003c/a\u003e.NET 8\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[System.Security.Cryptography.Xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | \u003e=8.0.0, \u003c=8.0.2 | 8.0.3\n\n## Advisory FAQ\n\n### \u003ca name=\"how-affected\"\u003e\u003c/a\u003eHow do I know if I am affected?\n\nIf using a package listed in [affected packages](#affected-packages), you\u0027re exposed to the vulnerability.\n\n### \u003ca name=\"how-fix\"\u003e\u003c/a\u003eHow do I fix the issue?\n\nTo update the Using the System.Security.Cryptography.xml NuGet package, use one of the following methods:\n\nNuGet Package Manager UI in Visual Studio:\n- Open your project in Visual Studio.\n- Right-click on your project in Solution Explorer and select \"Manage NuGet Packages...\" or navigate to \"Project \u003e Manage NuGet Packages\".\n- In the NuGet Package Manager window, select the \"Updates\" tab. This tab lists packages with available updates from your configured package sources.\n- Select the package(s) you wish to update. You can choose a specific version from the dropdown or update to the latest available version.\n- Click the \"Update\" button.\n\nUsing the NuGet Package Manager Console in Visual Studio:\n- Open your project in Visual Studio.\n- Navigate to \"Tools \u003e NuGet Package Manager \u003e Package Manager Console\".\n- To update a specific package to its latest version, use the following Update-Package command:\n\n```Update-Package -Id System.Security.Cryptography.xml```\n\nUsing the .NET CLI (Command Line Interface):\n- Open a terminal or command prompt in your project\u0027s directory.\n- To update a specific package to its latest version, use the following add package command:\n\n```dotnet add package System.Security.Cryptography.xml```\n\nOnce you have updated the nuget package reference you must recompile and deploy your application. Additionally we recommend you update your runtime and/or SDKs, but it is not necessary to patch the vulnerability.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue).\n\nSecurity reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.\n\n### Support\n\nYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2026-33116]( https://www.cve.org/CVERecord?id=CVE-2026-33116)\n\n### Acknowledgements\n\nLudvig Pedersen\n\n### Revisions\n\nV1.0 (April 14, 2026): Advisory published.",
"id": "GHSA-37gx-xxp4-5rgx",
"modified": "2026-04-17T13:19:57Z",
"published": "2026-04-14T23:30:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dotnet/runtime/security/advisories/GHSA-37gx-xxp4-5rgx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33116"
},
{
"type": "WEB",
"url": "https://github.com/dotnet/announcements/issues/392"
},
{
"type": "PACKAGE",
"url": "https://github.com/dotnet/runtime"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33116"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Microsoft Security Advisory CVE-2026-33116 \u2013 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability "
}
GHSA-37HG-4QWQ-2G86
Vulnerability from github – Published: 2025-06-20 21:32 – Updated: 2025-06-20 21:32A vulnerability was found in HobbesOSR Kitten up to c4f8b7c3158983d1020af432be1b417b28686736 and classified as critical. Affected by this issue is the function set_pte_at in the library /include/arch-arm64/pgtable.h. The manipulation leads to resource consumption. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
{
"affected": [],
"aliases": [
"CVE-2025-6365"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-20T21:15:23Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in HobbesOSR Kitten up to c4f8b7c3158983d1020af432be1b417b28686736 and classified as critical. Affected by this issue is the function set_pte_at in the library /include/arch-arm64/pgtable.h. The manipulation leads to resource consumption. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.",
"id": "GHSA-37hg-4qwq-2g86",
"modified": "2025-06-20T21:32:07Z",
"published": "2025-06-20T21:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6365"
},
{
"type": "WEB",
"url": "https://github.com/HobbesOSR/kitten/issues/17"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.313358"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.313358"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.597382"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.