Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-606 (循环条件输入未经检查) — Vulnerability Class 16

16 vulnerabilities classified as CWE-606 (循环条件输入未经检查). AI Chinese analysis included.

CWE-606 represents a logic error where software fails to validate inputs governing loop termination conditions. This weakness typically arises when developers trust external data without verifying its bounds or integrity before using it to control iteration counts. Attackers exploit this vulnerability by supplying maliciously crafted inputs that force the loop to execute excessively, potentially exhausting system resources such as memory or CPU cycles. This exploitation often results in a denial of service, rendering the application unresponsive or causing it to crash. To mitigate this risk, developers must implement rigorous input validation, ensuring that all data used in loop conditions is within expected limits. Additionally, incorporating timeout mechanisms and resource monitoring can prevent infinite loops, while thorough code reviews help identify unchecked variables that could lead to excessive iteration.

MITRE CWE Description
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU)
Mitigations (2)
ImplementationDo not use user-controlled data for loop conditions.
ImplementationPerform input validation.
Examples (2)
The following example demonstrates the weakness.
void iterate(int n){ int i; for (i = 0; i < n; i++){ foo(); } } void iterateFoo() { unsigned int num; scanf("%u",&num); iterate(num); }
Bad · C
In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing.
int processMessageFromSocket(int socket) { int success; char buffer[BUFFER_SIZE]; char message[MESSAGE_SIZE]; // get message from socket and store into buffer //Ignoring possibliity that buffer > BUFFER_SIZE if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { // place contents of the buffer into message structure ExMessage *msg = recastBuffer(buffer); // copy message body into string for processing int index; for (index = 0; index < msg->msgLength; index++) { message[index] = msg->msgBody[index]; } message[index] = '\0'; // process message success = processMessage(message); } return success; }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-1519 Excessive NSEC3 iterations cause high CPU load during insecure delegation validation — BIND 9 7.5 High2026-03-25
CVE-2019-25624 Liquid Studio 2.17 Denial of Service via Malformed Input — Liquid Studio 6.2 Medium2026-03-23
CVE-2026-27689 Denial of service (DOS) in SAP Supply Chain Management — SAP Supply Chain Management 7.7 High2026-03-10
CVE-2026-23689 Denial of service (DOS) in SAP Supply Chain Management — SAP Supply Chain Management 7.7 High2026-02-10
CVE-2025-43801 Liferay Portal和Liferay DXP 安全漏洞 — Portal 7.5AIHighAI2025-09-16
CVE-2025-42930 Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation — SAP Business Planning and Consolidation 6.5 Medium2025-09-09
CVE-2024-13931 Authenticated Relative Path Traversal — ASPECT-Enterprise 7.2 High2025-05-22
CVE-2024-13930 Authenticated Unchecked Loop Condition — ASPECT-Enterprise 4.9 Medium2025-05-22
CVE-2025-32399 RT-Labs P-Net 安全漏洞 — P-Net 5.3 Medium2025-05-07
CVE-2024-8508 Unbounded name compression could lead to Denial of Service — Unbound 5.3 Medium2024-10-03
CVE-2024-4603 Excessive time spent checking DSA keys and parameters — OpenSSL 7.5AIHighAI2024-05-16
CVE-2023-6237 Excessive time spent checking invalid RSA public keys — OpenSSL 7.5 -2024-04-25
CVE-2023-5678 Excessive time spent in DH check / generation with large Q parameter value — OpenSSL 5.3 -2023-11-06
CVE-2023-3817 Excessive time spent checking DH q parameter value — OpenSSL 7.5 -2023-07-31
CVE-2023-3446 Excessive time spent checking DH keys and parameters — OpenSSL 7.5 -2023-07-19
CVE-2022-3252 Apple SwiftNIO Extras 安全漏洞 — SwiftNIO Extras 7.5 -2022-09-21

Vulnerabilities classified as CWE-606 (循环条件输入未经检查) represent 16 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.