CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1052 vulnerabilities reference this CWE, most recent first.
GHSA-JXPF-XQ2M-Q525
Vulnerability from github – Published: 2026-04-22 22:09 – Updated: 2026-05-13 13:33Summary
OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch.
Details
CFB directory entries form a red-black tree linked by LeftSiblingID and RightSiblingID fields. OpenMcdf's DirectoryTreeEnumerator and DirectoryTree.TryGetDirectoryEntry traverse this tree without tracking visited node IDs, so a crafted cycle (e.g. entry A's RightSiblingID points to entry B, and entry B's LeftSiblingID points back to entry A) causes traversal to loop indefinitely.
Two distinct code paths are affected:
Storage.EnumerateEntries()-DirectoryTreeEnumerator.MoveNext()never returnsfalse; the same entry is yielded on every iteration and the caller'sforeachnever exits. Heap grows unboundedly as entries accumulate.Storage.OpenStream()-DirectoryTree.TryGetDirectoryEntryloops indefinitely insideDirectoryEntries.TryGetSiblingduring the name lookup.
PoC
A crafted CFB file with a sibling cycle (see attached) triggers the issue with the following code:
using OpenMcdf;
using var ms = new MemoryStream(File.ReadAllBytes("crafted.cfb"));
using var root = RootStorage.Open(ms);
// Never returns - EnumerateEntries loops indefinitely
foreach (var entry in root.EnumerateEntries())
{
Console.WriteLine(entry.Name);
if (entry.Type == EntryType.Stream)
root.OpenStream(entry.Name); // also hangs depending on the cycle structure
}
Impact
A denial of service affecting any application that opens untrusted CFB files with OpenMcdf. A small crafted input carrying a valid CFB magic header (D0 CF 11 E0 A1 B1 1A E1) is sufficient to pass initial format validation and reach the vulnerable traversal code. No exception is thrown, so try/catch cannot protect callers. The affected thread is unrecoverable without killing the process.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "OpenMcdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41511"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T22:09:01Z",
"nvd_published_at": "2026-05-08T19:16:31Z",
"severity": "MODERATE"
},
"details": "### Summary\nOpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the `LeftSiblingID` / `RightSiblingID` chain causes `Storage.EnumerateEntries()` and `Storage.OpenStream()` to loop indefinitely, consuming the calling thread with no possibility of recovery via `try/catch`.\n\n### Details\nCFB directory entries form a red-black tree linked by `LeftSiblingID` and `RightSiblingID` fields. OpenMcdf\u0027s `DirectoryTreeEnumerator` and `DirectoryTree.TryGetDirectoryEntry` traverse this tree without tracking visited node IDs, so a crafted cycle (e.g. entry A\u0027s `RightSiblingID` points to entry B, and entry B\u0027s `LeftSiblingID` points back to entry A) causes traversal to loop indefinitely.\n\nTwo distinct code paths are affected:\n\n- **`Storage.EnumerateEntries()`** - `DirectoryTreeEnumerator.MoveNext()` never returns `false`; the same entry is yielded on every iteration and the caller\u0027s `foreach` never exits. Heap grows unboundedly as entries accumulate.\n- **`Storage.OpenStream()`** - `DirectoryTree.TryGetDirectoryEntry` loops indefinitely inside `DirectoryEntries.TryGetSibling` during the name lookup.\n\n### PoC\nA crafted CFB file with a sibling cycle (see attached) triggers the issue with the following code:\n\n```csharp\nusing OpenMcdf;\n\nusing var ms = new MemoryStream(File.ReadAllBytes(\"crafted.cfb\"));\nusing var root = RootStorage.Open(ms);\n\n// Never returns - EnumerateEntries loops indefinitely\nforeach (var entry in root.EnumerateEntries())\n{\n Console.WriteLine(entry.Name);\n\n if (entry.Type == EntryType.Stream)\n root.OpenStream(entry.Name); // also hangs depending on the cycle structure\n}\n```\n\n### Impact\nA denial of service affecting any application that opens untrusted CFB files with OpenMcdf. A small crafted input carrying a valid CFB magic header (`D0 CF 11 E0 A1 B1 1A E1`) is sufficient to pass initial format validation and reach the vulnerable traversal code. No exception is thrown, so `try/catch` cannot protect callers. The affected thread is unrecoverable without killing the process.",
"id": "GHSA-jxpf-xq2m-q525",
"modified": "2026-05-13T13:33:51Z",
"published": "2026-04-22T22:09:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openmcdf/openmcdf/security/advisories/GHSA-jxpf-xq2m-q525"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41511"
},
{
"type": "WEB",
"url": "https://github.com/openmcdf/openmcdf/commit/24f445a557fc4f46461cf6d02d296cce16c293a0"
},
{
"type": "PACKAGE",
"url": "https://github.com/openmcdf/openmcdf"
},
{
"type": "WEB",
"url": "https://github.com/openmcdf/openmcdf/releases/tag/v3.1.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle"
}
GHSA-JXQM-35FX-CRQJ
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2025-04-20 03:33In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an IAX2 infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-iax2.c by constraining packet lateness.
{
"affected": [],
"aliases": [
"CVE-2017-6470"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-04T03:59:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an IAX2 infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-iax2.c by constraining packet lateness.",
"id": "GHSA-jxqm-35fx-crqj",
"modified": "2025-04-20T03:33:38Z",
"published": "2022-05-13T01:46:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6470"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13432"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=0b89174ef4c531a1917437fff586fe525ee7bf2d"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=0b89174ef4c531a1917437fff586fe525ee7bf2d"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2017-10.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3811"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96563"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JXV8-JMP2-87P8
Vulnerability from github – Published: 2024-08-07 18:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
x86/bhi: Avoid warning in #DB handler due to BHI mitigation
When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler (exc_debug_kernel()) to issue a warning because single-step is used outside the entry_SYSENTER_compat() function.
To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY after making sure the TF flag is cleared.
The problem can be reproduced with the following sequence:
$ cat sysenter_step.c int main() { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); }
$ gcc -o sysenter_step sysenter_step.c
$ ./sysenter_step Segmentation fault (core dumped)
The program is expected to crash, and the #DB handler will issue a warning.
Kernel log:
WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160 ... RIP: 0010:exc_debug_kernel+0xd2/0x160 ... Call Trace: <#DB> ? show_regs+0x68/0x80 ? __warn+0x8c/0x140 ? exc_debug_kernel+0xd2/0x160 ? report_bug+0x175/0x1a0 ? handle_bug+0x44/0x90 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? exc_debug_kernel+0xd2/0x160 exc_debug+0x43/0x50 asm_exc_debug+0x1e/0x40 RIP: 0010:clear_bhb_loop+0x0/0xb0 ... </#DB> ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
[ bp: Massage commit message. ]
{
"affected": [],
"aliases": [
"CVE-2024-42240"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-07T16:15:46Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\n\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\nentry_SYSENTER_compat() function.\n\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\nafter making sure the TF flag is cleared.\n\nThe problem can be reproduced with the following sequence:\n\n $ cat sysenter_step.c\n int main()\n { asm(\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\"); }\n\n $ gcc -o sysenter_step sysenter_step.c\n\n $ ./sysenter_step\n Segmentation fault (core dumped)\n\nThe program is expected to crash, and the #DB handler will issue a warning.\n\nKernel log:\n\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\n ...\n RIP: 0010:exc_debug_kernel+0xd2/0x160\n ...\n Call Trace:\n \u003c#DB\u003e\n ? show_regs+0x68/0x80\n ? __warn+0x8c/0x140\n ? exc_debug_kernel+0xd2/0x160\n ? report_bug+0x175/0x1a0\n ? handle_bug+0x44/0x90\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? exc_debug_kernel+0xd2/0x160\n exc_debug+0x43/0x50\n asm_exc_debug+0x1e/0x40\n RIP: 0010:clear_bhb_loop+0x0/0xb0\n ...\n \u003c/#DB\u003e\n \u003cTASK\u003e\n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\n \u003c/TASK\u003e\n\n [ bp: Massage commit message. ]",
"id": "GHSA-jxv8-jmp2-87p8",
"modified": "2025-11-04T00:31:10Z",
"published": "2024-08-07T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42240"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M236-5Q24-77FQ
Vulnerability from github – Published: 2022-02-15 00:02 – Updated: 2025-11-04 00:30Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2022-0586"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-14T22:15:00Z",
"severity": "HIGH"
},
"details": "Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-m236-5q24-77fq",
"modified": "2025-11-04T00:30:31Z",
"published": "2022-02-15T00:02:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0586"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0586.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/17813"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00041.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRJ24JRKLA6XMDKLGVTOPM5KBBU4UHLN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3DZD2JU56ZI4XV2B3HGVGA5PXQDNA5T"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HRJ24JRKLA6XMDKLGVTOPM5KBBU4UHLN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3DZD2JU56ZI4XV2B3HGVGA5PXQDNA5T"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-04"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2022-01.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2V9-299J-RV96
Vulnerability from github – Published: 2026-06-16 14:05 – Updated: 2026-06-16 14:05Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer.
Patches
This has been fixed in pypdf==6.13.0.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3830.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pypdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54531"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T14:05:57Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer.\n\n### Patches\n\nThis has been fixed in [pypdf==6.13.0](https://github.com/py-pdf/pypdf/releases/tag/6.13.0).\n\n### Workarounds\n\nIf you cannot upgrade yet, consider applying the changes from PR [#3830](https://github.com/py-pdf/pypdf/pull/3830).",
"id": "GHSA-m2v9-299j-rv96",
"modified": "2026-06-16T14:05:57Z",
"published": "2026-06-16T14:05:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-m2v9-299j-rv96"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/pull/3830"
},
{
"type": "PACKAGE",
"url": "https://github.com/py-pdf/pypdf"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/releases/tag/6.13.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "pypdf: Possible infinite loop when processing outlines/bookmarks in writer"
}
GHSA-M336-G88R-274Q
Vulnerability from github – Published: 2024-07-01 18:32 – Updated: 2024-07-01 18:32In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the admin or power Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-36990"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-01T17:15:07Z",
"severity": "MODERATE"
},
"details": "In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the admin or power Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.",
"id": "GHSA-m336-g88r-274q",
"modified": "2024-07-01T18:32:41Z",
"published": "2024-07-01T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36990"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2024-0710"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/45766810-dbb2-44d4-b889-b4ba3ee0d1f5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M343-CXJ8-FQ77
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
{
"affected": [],
"aliases": [
"CVE-2017-18273"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-18T19:29:00Z",
"severity": "HIGH"
},
"details": "In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.",
"id": "GHSA-m343-cxj8-fq77",
"modified": "2022-05-13T01:17:22Z",
"published": "2022-05-13T01:17:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18273"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/910"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M35F-82QC-HMW7
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53In ih264d_video_decode of ih264d_api.c there is a possible resource exhaustion due to an infinite loop. This could lead to remote temporary device denial of service (remote hang or reboot) with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android ID: A-63521984.
{
"affected": [],
"aliases": [
"CVE-2018-9444"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-06T17:29:00Z",
"severity": "HIGH"
},
"details": "In ih264d_video_decode of ih264d_api.c there is a possible resource exhaustion due to an infinite loop. This could lead to remote temporary device denial of service (remote hang or reboot) with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android ID: A-63521984.",
"id": "GHSA-m35f-82qc-hmw7",
"modified": "2022-05-13T01:53:55Z",
"published": "2022-05-13T01:53:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9444"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-08-01"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041432"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M3HH-F9GH-74C2
Vulnerability from github – Published: 2025-08-07 20:53 – Updated: 2025-08-07 20:53Impact
Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames.
QUIC connections possess a set of connection identifiers (IDs); see Section 5.1 of RFC 9000. Once the QUIC handshake completes, a local endpoint is responsible for issuing and retiring Connection IDs that are used by the remote peer to populate the Destination Connection ID field in packets sent from remote to local. Each Connection ID has a sequence number to ensure synchronization between peers
An unauthenticated remote attacker can exploit this vulnerability by first completing a handshake and then sending a specially-crafted set of frames that trigger a connection ID retirement in the victim. When the victim attempts to send a packet containing RETIRE_CONNECTION_ID frames, Section 19.16 of RFC 9000 requires that the sequence number of the retired connection ID must not be the same as the sequence number of the connection ID used by the packet. In other words, a packet cannot contain a frame that retires itself. In scenarios such as path migration, it is possible for there to be multiple active paths with different active connection IDs that could be used to retire each other. The exploit triggered an unintentional behaviour of a quiche design feature that supports retirement across paths while maintaining full connection ID synchronization, leading to an infinite loop.
Patches
quiche 0.24.5 is the earliest version containing the fix for the issue
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "quiche"
},
"ranges": [
{
"events": [
{
"introduced": "0.15.0"
},
{
"fixed": "0.24.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-7054"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-07T20:53:40Z",
"nvd_published_at": "2025-08-07T16:15:31Z",
"severity": "HIGH"
},
"details": "## Impact\n\nCloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames.\n\nQUIC connections possess a set of connection identifiers (IDs); see [Section 5.1 of RFC 9000](https://datatracker.ietf.org/doc/html/rfc9000#section-5.1). Once the QUIC handshake completes, a local endpoint is responsible for issuing and retiring Connection IDs that are used by the remote peer to populate the Destination Connection ID field in packets sent from remote to local. Each Connection ID has a sequence number to ensure synchronization between peers\n\nAn unauthenticated remote attacker can exploit this vulnerability by first completing a handshake and then sending a specially-crafted set of frames that trigger a connection ID retirement in the victim. When the victim attempts to send a packet containing RETIRE_CONNECTION_ID frames, [Section 19.16 of RFC 9000](https://datatracker.ietf.org/doc/html/rfc9000#section-19.16) requires that the sequence number of the retired connection ID must not be the same as the sequence number of the connection ID used by the packet. In other words, a packet cannot contain a frame that retires itself. In scenarios such as path migration, it is possible for there to be multiple active paths with different active connection IDs that could be used to retire each other. The exploit triggered an unintentional behaviour of a quiche design feature that supports retirement across paths while maintaining full connection ID synchronization, leading to an infinite loop.\n\n## Patches\n\nquiche 0.24.5 is the earliest version containing the fix for the issue",
"id": "GHSA-m3hh-f9gh-74c2",
"modified": "2025-08-07T20:53:40Z",
"published": "2025-08-07T20:53:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-m3hh-f9gh-74c2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7054"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudflare/quiche"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "quiche connection ID retirement can trigger an infinite loop"
}
GHSA-M3QF-XV59-6W6H
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2025-03-11 12:30A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0), Nucleus NET (All versions), Nucleus ReadyStart (All versions), Nucleus Source Code (versions including affected IPv6 stack), VSTAR (versions including affected IPv6 stack). The function that processes IPv6 headers does not check the lengths of extension header options, allowing attackers to put this function into an infinite loop with crafted length values.
{
"affected": [],
"aliases": [
"CVE-2021-25663"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T21:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Nucleus 4 (All versions \u003c V4.1.0), Nucleus NET (All versions), Nucleus ReadyStart (All versions), Nucleus Source Code (versions including affected IPv6 stack), VSTAR (versions including affected IPv6 stack). The function that processes IPv6 headers does not check the lengths of extension header options, allowing attackers to put this function into an infinite loop with crafted length values.",
"id": "GHSA-m3qf-xv59-6w6h",
"modified": "2025-03-11T12:30:58Z",
"published": "2022-05-24T17:48:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25663"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-248289.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-248289.pdf"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.