Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1052 vulnerabilities reference this CWE, most recent first.

GHSA-G5GJ-9GGF-9VMQ

Vulnerability from github – Published: 2021-11-10 20:38 – Updated: 2023-10-02 15:58
VLAI
Summary
Infinite certificate chain depth results in OctoRPKI running forever
Details

OctoRPKI (github.com/cloudflare/cfrpki/cmd/octorpki) does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.

For more information

If you have any questions or comments about this advisory email us at security@cloudflare.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cloudflare/cfrpki"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-10T18:18:55Z",
    "nvd_published_at": "2021-11-11T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OctoRPKI (github.com/cloudflare/cfrpki/cmd/octorpki) does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.\n\n### For more information\nIf you have any questions or comments about this advisory email us at security@cloudflare.com \n",
  "id": "GHSA-g5gj-9ggf-9vmq",
  "modified": "2023-10-02T15:58:02Z",
  "published": "2021-11-10T20:38:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3908"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/cfrpki"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5041"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Infinite certificate chain depth results in OctoRPKI running forever"
}

GHSA-G63V-C4X5-2G6V

Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2025-11-04 00:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: fix 6 GHz scan construction

If more than 255 colocated APs exist for the set of all APs found during 2.4/5 GHz scanning, then the 6 GHz scan construction will loop forever since the loop variable has type u8, which can never reach the number found when that's bigger than 255, and is stored in a u32 variable. Also move it into the loops to have a smaller scope.

Using a u32 there is fine, we limit the number of APs in the scan list and each has a limit on the number of RNR entries due to the frame size. With a limit of 1000 scan results, a frame size upper bound of 4096 (really it's more like ~2300) and a TBTT entry size of at least 11, we get an upper bound for the number of ~372k, well in the bounds of a u32.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53055"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T18:15:25Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix 6 GHz scan construction\n\nIf more than 255 colocated APs exist for the set of all\nAPs found during 2.4/5 GHz scanning, then the 6 GHz scan\nconstruction will loop forever since the loop variable\nhas type u8, which can never reach the number found when\nthat\u0027s bigger than 255, and is stored in a u32 variable.\nAlso move it into the loops to have a smaller scope.\n\nUsing a u32 there is fine, we limit the number of APs in\nthe scan list and each has a limit on the number of RNR\nentries due to the frame size. With a limit of 1000 scan\nresults, a frame size upper bound of 4096 (really it\u0027s\nmore like ~2300) and a TBTT entry size of at least 11,\nwe get an upper bound for the number of ~372k, well in\nthe bounds of a u32.",
  "id": "GHSA-g63v-c4x5-2g6v",
  "modified": "2025-11-04T00:32:04Z",
  "published": "2024-11-19T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53055"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ac15e5a8f42fed5d90ed9e1197600913678c50f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ccd5badadab2d586e91546bf5af3deda07fef1f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7245012f0f496162dd95d888ed2ceb5a35170f1a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cde8a7eb5c6762264ff0f4433358e0a0d250c875"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc621e7a043de346c33bd7ae7e2e0c651d6152ef"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G64F-GXFJ-JR57

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44
VLAI
Details

The arch_timer_reg_read_stable macro in arch/arm64/include/asm/arch_timer.h in the Linux kernel before 4.13 allows local users to cause a denial of service (infinite recursion) by writing to a file under /sys/kernel/debug in certain circumstances, as demonstrated by a scenario involving debugfs, ftrace, PREEMPT_TRACER, and FUNCTION_GRAPH_TRACER.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-19T08:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The arch_timer_reg_read_stable macro in arch/arm64/include/asm/arch_timer.h in the Linux kernel before 4.13 allows local users to cause a denial of service (infinite recursion) by writing to a file under /sys/kernel/debug in certain circumstances, as demonstrated by a scenario involving debugfs, ftrace, PREEMPT_TRACER, and FUNCTION_GRAPH_TRACER.",
  "id": "GHSA-g64f-gxfj-jr57",
  "modified": "2022-05-13T01:44:38Z",
  "published": "2022-05-13T01:44:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18261"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/adb4f11e0a8f4e29900adb2b7af28b6bbd5c1fa4"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=adb4f11e0a8f4e29900adb2b7af28b6bbd5c1fa4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G66J-3R55-GRH3

Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20
VLAI
Details

An issue was discovered in LibVNCServer before 0.9.13. An improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-17T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in LibVNCServer before 0.9.13. An improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c.",
  "id": "GHSA-g66j-3r55-grh3",
  "modified": "2022-05-24T17:20:47Z",
  "published": "2022-05-24T17:20:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibVNC/libvncserver/commit/57433015f856cc12753378254ce4f1c78f5d9c7b"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibVNC/libvncserver/compare/LibVNCServer-0.9.12...LibVNCServer-0.9.13"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4434-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00055.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00066.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6V2-566P-8FGX

Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-23 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

NFS: Avoid writeback threads getting stuck in mempool_alloc()

In a low memory situation, allow the NFS writeback code to fail without getting stuck in infinite loops in mempool_alloc().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Avoid writeback threads getting stuck in mempool_alloc()\n\nIn a low memory situation, allow the NFS writeback code to fail without\ngetting stuck in infinite loops in mempool_alloc().",
  "id": "GHSA-g6v2-566p-8fgx",
  "modified": "2025-09-23T18:30:20Z",
  "published": "2025-09-23T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49097"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0bae835b63c53f86cdc524f5962e39409585b22c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b3fa9a3c420c31e77b406ddc28f3a627100516c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6caeddd68977a1aaaf62fbd1955b41dd5c3c5d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c74e2f6ecc51bd08bb5b0335477dba954a50592e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea029e4ce760f786919d06ef52efa2e50ea92a5f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6X2-39G4-M6XQ

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-04-20 03:36
VLAI
Details

In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SIGCOMP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-sigcomp.c by correcting a memory-size check.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-12T23:59:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SIGCOMP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-sigcomp.c by correcting a memory-size check.",
  "id": "GHSA-g6x2-39g4-m6xq",
  "modified": "2025-04-20T03:36:01Z",
  "published": "2022-05-13T01:47:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7745"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13578"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=acd8e1a9b17ad274bea1e01e10e4481508a1cbf0"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=acd8e1a9b17ad274bea1e01e10e4481508a1cbf0"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2017-20.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97627"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7JQ-J257-RWW2

Vulnerability from github – Published: 2026-05-27 03:30 – Updated: 2026-07-01 18:04
VLAI
Summary
OpenStack Swift: s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body
Details

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "swift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.36.0"
            },
            {
              "last_affected": "2.36.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "swift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.37.0"
            },
            {
              "last_affected": "2.37.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T18:04:11Z",
    "nvd_published_at": "2026-05-27T02:16:34Z",
    "severity": "HIGH"
  },
  "details": "In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.",
  "id": "GHSA-g7jq-j257-rww2",
  "modified": "2026-07-01T18:04:11Z",
  "published": "2026-05-27T03:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49017"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/bugs/2152205"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/swift"
    },
    {
      "type": "WEB",
      "url": "https://review.opendev.org/c/openstack/swift/+/987957"
    },
    {
      "type": "WEB",
      "url": "https://review.opendev.org/c/openstack/swift/+/988093"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/27/9"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/02/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack Swift: s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body"
}

GHSA-G85J-48PG-M4XC

Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48
VLAI
Details

An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-10T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request.",
  "id": "GHSA-g85j-48pg-m4xc",
  "modified": "2022-05-13T01:48:59Z",
  "published": "2022-05-13T01:48:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10981"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201810-06"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4201"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xen.org/xsa/advisory-262.html"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2018/05/08/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104149"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G925-QGM3-HC5P

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: prevent infinite loops caused by the next valid being the same

When processing valid within the range [valid : pos), if valid cannot be retrieved correctly, for example, if the retrieved valid value is always the same, this can trigger a potential infinite loop, similar to the hung problem reported by syzbot [1].

Adding a check for the valid value within the loop body, and terminating the loop and returning -EINVAL if the value is the same as the current value, can prevent this.

[1] INFO: task syz.4.21:6056 blocked for more than 143 seconds. Call Trace: rwbase_write_lock+0x14f/0x750 kernel/locking/rwbase_rt.c:244 inode_lock include/linux/fs.h:1027 [inline] ntfs_file_write_iter+0xe6/0x870 fs/ntfs3/file.c:1284

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:16:58Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: prevent infinite loops caused by the next valid being the same\n\nWhen processing valid within the range [valid : pos), if valid cannot\nbe retrieved correctly, for example, if the retrieved valid value is\nalways the same, this can trigger a potential infinite loop, similar\nto the hung problem reported by syzbot [1].\n\nAdding a check for the valid value within the loop body, and terminating\nthe loop and returning -EINVAL if the value is the same as the current\nvalue, can prevent this.\n\n[1]\nINFO: task syz.4.21:6056 blocked for more than 143 seconds.\nCall Trace:\n rwbase_write_lock+0x14f/0x750 kernel/locking/rwbase_rt.c:244\n inode_lock include/linux/fs.h:1027 [inline]\n ntfs_file_write_iter+0xe6/0x870 fs/ntfs3/file.c:1284",
  "id": "GHSA-g925-qgm3-hc5p",
  "modified": "2026-06-25T21:31:18Z",
  "published": "2026-05-27T15:33:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45864"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/27b75ca4e51e3e4554dc85dbf1a0246c66106fd3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bf3bafb8e0635ed93e3cd4156dcbcc0fb960cb4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50c822fcb36768f1fb356f05b02a2248ef81936d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d93239b4fc479f7c0a412dd196ec0ca2672d14a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/71c8b966ec56e13c02388c1312910588bb49be7a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a47a2bb9aa6455d5cee1045814a60c749309c92b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b97e371e5d1c13d722335d46eb8bc1a22b272a0e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G97W-MW7G-V3JV

Vulnerability from github – Published: 2025-07-27 21:32 – Updated: 2025-07-28 15:36
VLAI
Summary
Duplicate Advisory: Low severity (DoS) vulnerability in sequoia-openpgp
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9344-p847-qm5c. This link is maintained to preserve external references.

Original Description

The sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages for RawCertParser operations that encounter an unsupported primary key type.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "sequoia-openpgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0"
            },
            {
              "fixed": "1.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-28T15:36:45Z",
    "nvd_published_at": "2025-07-27T20:15:24Z",
    "severity": "LOW"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9344-p847-qm5c. This link is maintained to preserve external references.\n\n### Original Description\nThe sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of \"Reading a cert: Invalid operation: Not a Key packet\" messages for RawCertParser operations that encounter an unsupported primary key type.",
  "id": "GHSA-g97w-mw7g-v3jv",
  "modified": "2025-07-28T15:36:45Z",
  "published": "2025-07-27T21:32:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58261"
    },
    {
      "type": "WEB",
      "url": "https://crates.io/crates/sequoia-openpgp"
    },
    {
      "type": "PACKAGE",
      "url": "https://gitlab.com/sequoia-pgp/sequoia"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/sequoia-pgp/sequoia/-/issues/1106"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0345.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Low severity (DoS) vulnerability in sequoia-openpgp",
  "withdrawn": "2025-07-28T15:36:45Z"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.