Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1052 vulnerabilities reference this CWE, most recent first.

GHSA-CH98-87FR-X9F7

Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-11-04 00:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

filemap: Fix bounds checking in filemap_read()

If the caller supplies an iocb->ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop.

This behaviour was discovered when testing xfstests generic/525 with the "localio" optimisation for loopback NFS mounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T02:16:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: Fix bounds checking in filemap_read()\n\nIf the caller supplies an iocb-\u003eki_pos value that is close to the\nfilesystem upper limit, and an iterator with a count that causes us to\noverflow that limit, then filemap_read() enters an infinite loop.\n\nThis behaviour was discovered when testing xfstests generic/525 with the\n\"localio\" optimisation for loopback NFS mounts.",
  "id": "GHSA-ch98-87fr-x9f7",
  "modified": "2025-11-04T00:32:03Z",
  "published": "2024-11-19T03:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50272"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26530b757c81f1389fb33ae0357500150933161b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6450e73f4c86d481ac2e22e1bc848d346e140826"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6cc52df69e8464811f9f6fc12f7aaa78451eb0b8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2746ab3bbc9c6408da5cd072653ec8c24749235"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ace149e0830c380ddfce7e466fe860ca502fe4ee"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CH9P-9C28-4R3P

Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13
VLAI
Details

QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-12-29T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS.",
  "id": "GHSA-ch9p-9c28-4r3p",
  "modified": "2022-05-13T01:13:38Z",
  "published": "2022-05-13T01:13:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1981"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2016:2585"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2016-1981"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1298570"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03454.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201604-01"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2585.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3469"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3470"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3471"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/19/10"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/22/1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/81549"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CHRM-V6G8-H3F6

Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24
VLAI
Details

The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted VICAR file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-27T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted VICAR file.",
  "id": "GHSA-chrm-v6g8-h3f6",
  "modified": "2022-05-13T01:24:51Z",
  "published": "2022-05-13T01:24:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8903"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1195271"
    },
    {
      "type": "WEB",
      "url": "http://trac.imagemagick.org/changeset/17856"
    },
    {
      "type": "WEB",
      "url": "http://www.imagemagick.org/discourse-server/viewtopic.php?f=3\u0026t=26933"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/02/26/13"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/06/06/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJ46-35HF-RV96

Vulnerability from github – Published: 2022-09-29 00:00 – Updated: 2022-10-01 00:00
VLAI
Details

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674",
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-28T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress \"quines\" gzip files, resulting in an infinite loop.",
  "id": "GHSA-cj46-35hf-rv96",
  "modified": "2022-10-01T00:00:19Z",
  "published": "2022-09-29T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31628"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=81726"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202211-03"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221209-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5277"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJ8R-MPPQ-QJM5

Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2024-04-04 02:41
VLAI
Details

A denial-of-service vulnerability exists in the processing of multi-part/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-03T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service vulnerability exists in the processing of multi-part/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server.",
  "id": "GHSA-cj8r-mppq-qjm5",
  "modified": "2024-04-04T02:41:49Z",
  "published": "2022-05-24T17:02:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5097"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0889"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJW6-VW4C-Q3FW

Vulnerability from github – Published: 2023-09-18 09:30 – Updated: 2024-04-04 07:43
VLAI
Details

Certain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0 , Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-18T07:15:38Z",
    "severity": "HIGH"
  },
  "details": "Certain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0 , Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.",
  "id": "GHSA-cjw6-vw4c-q3fw",
  "modified": "2024-04-04T07:43:06Z",
  "published": "2023-09-18T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42525"
    },
    {
      "type": "WEB",
      "url": "https://www.withsecure.com/en/support/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CM8F-H6J3-P25C

Vulnerability from github – Published: 2022-05-24 22:05 – Updated: 2023-08-29 23:32
VLAI
Summary
Pion DTLS Header reconstruction method can be thrown into an infinite loop
Details

Impact

An attacker can send packets that will send Pion DTLS into an infinite loop when processing.

Patches

Upgrade to Pion DTLS v2.1.4

Workarounds

No workarounds available, upgrade to Pion DTLS v2.1.4

References

Thank you to Juho Nurminen and the Mattermost team for discovering and reporting this.

For more information

If you have any questions or comments about this advisory: * Open an issue in Pion DTLS * Email us at team@pion.ly

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pion/dtls"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pion/dtls/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-24T22:05:00Z",
    "nvd_published_at": "2022-05-21T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker can send packets that will send Pion DTLS into an infinite loop when processing.\n\n### Patches\nUpgrade to Pion DTLS v2.1.4\n\n### Workarounds\nNo workarounds available, upgrade to Pion DTLS v2.1.4\n\n### References\nThank you to [Juho Nurminen](https://github.com/jupenur) and the Mattermost team for discovering and reporting this. \n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Pion DTLS](http://github.com/pion/dtls)\n* Email us at [team@pion.ly](mailto:team@pion.ly)\n",
  "id": "GHSA-cm8f-h6j3-p25c",
  "modified": "2023-08-29T23:32:40Z",
  "published": "2022-05-24T22:05:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pion/dtls/security/advisories/GHSA-cm8f-h6j3-p25c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pion/dtls/commit/e0b2ce3592e8e7d73713ac67b363a2e192a4cecf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pion/dtls/releases/tag/v2.1.4"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0460"
    },
    {
      "type": "PACKAGE",
      "url": "github.com/pion/dtls"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pion DTLS Header reconstruction method can be thrown into an infinite loop"
}

GHSA-CQ2J-HRGF-RXGP

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2024-03-21 03:34
VLAI
Details

Unbound before 1.9.5 allows an infinite loop via a compressed name in dname_pkt_copy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-27T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "Unbound before 1.9.5 allows an infinite loop via a compressed name in dname_pkt_copy.",
  "id": "GHSA-cq2j-hrgf-rxgp",
  "modified": "2024-03-21T03:34:04Z",
  "published": "2022-05-24T17:48:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25040"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210507-0007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQ38-JH5F-37MQ

Vulnerability from github – Published: 2024-09-04 20:18 – Updated: 2024-09-04 21:34
VLAI
Summary
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
Details

Impact

sigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF's security model labels this type of vulnerability an "Endless data attack," and can lead to verification failing to complete and disrupting services that rely on sigstore-go for verification.

The vulnerable loops are in the verification functions in the package github.com/sigstore/sigstore-go/pkg/verify. The first is the DSSE envelope verification loop in verifyEnvelopeWithArtifact, which decodes all the digests in an attestation can be found here:

https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/signature.go#L183-L193

The next loop is in the VerifyArtifactTransparencyLog function, which verifies all the signed entries in a bundle:

https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tlog.go#L74-L178

The next loop is the VerifyTimestampAuthority function, which verifies all the RFC 3161 timestamps in a bundle:

https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tsa.go#L59-L68

Patches

This vulnerability is addressed with sigstore-go 0.6.1, which adds hard limits to the number of verifiable data structures that can be processed in a bundle. Verification will fail if a bundle has data that exceeds these limits. The limits are:

  • 32 signed transparency log entries
  • 32 RFC 3161 timestamps
  • 1024 attestation subjects
  • 32 digests per attestation subject

These limits are intended to be high enough to accommodate the vast majority of use cases, while preventing the verification of maliciously crafted bundles that contain large amounts of verifiable data.

Workarounds

The best way to mitigate the risk is to upgrade to sigstore-go 0.6.1 or later. Users who are vulnerable but unable to quickly upgrade may consider adding manual bundle validation to enforce limits similar to those in the referenced patch prior to calling sigstore-go's verification functions.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sigstore/sigstore-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-04T20:18:18Z",
    "nvd_published_at": "2024-09-04T21:15:14Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nsigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF\u0027s security model labels this type of vulnerability an \"Endless data attack,\" and can lead to verification failing to complete and disrupting services that rely on sigstore-go for verification.\n\nThe vulnerable loops are in the verification functions in the package `github.com/sigstore/sigstore-go/pkg/verify`. The first is the DSSE envelope verification loop in `verifyEnvelopeWithArtifact`, which decodes all the digests in an attestation can be found here:\n\nhttps://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/signature.go#L183-L193\n\nThe next loop is in the `VerifyArtifactTransparencyLog` function, which verifies all the signed entries in a bundle:\n\nhttps://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tlog.go#L74-L178\n\nThe next loop is the `VerifyTimestampAuthority` function, which verifies all the RFC 3161 timestamps in a bundle:\n\nhttps://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tsa.go#L59-L68\n\n### Patches\n\nThis vulnerability is addressed with sigstore-go 0.6.1, which adds hard limits to the number of verifiable data structures that can be processed in a bundle. Verification will fail if a bundle has data that exceeds these limits. The limits are:\n\n- 32 signed transparency log entries\n- 32 RFC 3161 timestamps\n- 1024 attestation subjects\n- 32 digests per attestation subject\n\nThese limits are intended to be high enough to accommodate the vast majority of use cases, while preventing the verification of maliciously crafted bundles that contain large amounts of verifiable data.\n\n### Workarounds\n\nThe best way to mitigate the risk is to upgrade to sigstore-go 0.6.1 or later. Users who are vulnerable but unable to quickly upgrade may consider adding manual bundle validation to enforce limits similar to those in the referenced patch prior to calling sigstore-go\u0027s verification functions.\n",
  "id": "GHSA-cq38-jh5f-37mq",
  "modified": "2024-09-04T21:34:54Z",
  "published": "2024-09-04T20:18:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45395"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-go/commit/01e70e89e58226286d7977b4dba43b6be472b12c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sigstore/sigstore-go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/signature.go#L183-L193"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tlog.go#L74-L178"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tsa.go#L59-L68"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "sigstore-go has an unbounded loop over untrusted input can lead to endless data attack"
}

GHSA-CQ9M-7482-XQ9J

Vulnerability from github – Published: 2025-03-12 12:30 – Updated: 2025-03-13 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nvmet: Fix crash when a namespace is disabled

The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zero. Otherwise we end up with a crash when running blktests/nvme/058 (eg for loop transport):

[ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI [ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232 [ 2352.930438] [ T53909] Tainted: [W]=WARN [ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 2352.930443] [ T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] [ 2352.930449] [ T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180

as the queue is already torn down when calling submit_bio();

So we need to init the percpu counter in nvmet_ns_enable(), and wait for it to drop to zero in nvmet_ns_disable() to avoid having I/O pending after the namespace has been disabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T10:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: Fix crash when a namespace is disabled\n\nThe namespace percpu counter protects pending I/O, and we can\nonly safely diable the namespace once the counter drop to zero.\nOtherwise we end up with a crash when running blktests/nvme/058\n(eg for loop transport):\n\n[ 2352.930426] [  T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 2352.930431] [  T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n[ 2352.930434] [  T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G        W          6.13.0-rc6 #232\n[ 2352.930438] [  T53909] Tainted: [W]=WARN\n[ 2352.930440] [  T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n[ 2352.930443] [  T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\n[ 2352.930449] [  T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180\n\nas the queue is already torn down when calling submit_bio();\n\nSo we need to init the percpu counter in nvmet_ns_enable(), and\nwait for it to drop to zero in nvmet_ns_disable() to avoid having\nI/O pending after the namespace has been disabled.",
  "id": "GHSA-cq9m-7482-xq9j",
  "modified": "2025-03-13T18:32:21Z",
  "published": "2025-03-12T12:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21850"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4082326807072b71496501b6a0c55ffe8d5092a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc0607594f6813342b27c752c6fb6f6eb9980cb5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.