Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CWE-835 (不可达退出条件的循环(无限循环)) — Vulnerability Class 220

220 vulnerabilities classified as CWE-835 (不可达退出条件的循环(无限循环)). AI Chinese analysis included.

CWE-835 represents a logic error where a software loop lacks a reachable termination condition, resulting in an infinite execution cycle. This weakness typically manifests when developers fail to update loop variables correctly or rely on floating-point comparisons prone to precision errors. Attackers exploit this vulnerability to trigger Denial of Service (DoS) attacks by consuming excessive CPU resources, effectively freezing the application or system. To mitigate this risk, developers must ensure loop counters are properly incremented or decremented within the iteration body. Implementing strict boundary checks, avoiding direct equality comparisons with floating-point numbers, and utilizing static analysis tools can help detect unreachable exit conditions early. Additionally, incorporating timeout mechanisms or maximum iteration limits provides a safety net, ensuring that even if logic errors occur, the process terminates gracefully without exhausting system resources.

MITRE CWE Description
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification
An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond.
Examples (2)
In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.
int processMessagesFromServer(char *hostaddr, int port) { ... int servsock; int connected; struct sockaddr_in servaddr; // create socket to connect to server servsock = socket( AF_INET, SOCK_STREAM, 0); memset( &servaddr, 0, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_port = htons(port); servaddr.sin_addr.s_addr = inet_addr(hostaddr); do { // establish connection to server connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); // if connected then read and process messages from server if (connected > -1) { // read and process messages ... } // keep tr
Bad · C
int processMessagesFromServer(char *hostaddr, int port) { ... // initialize number of attempts counter int count = 0; do { // establish connection to server connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); // increment counter count++; // if connected then read and process messages from server if (connected > -1) { // read and process messages ... } // keep trying to establish connection to the server // up to a maximum number of attempts } while (connected < 0 && count < MAX_ATTEMPTS); // close socket and return success or failure ... }
Good · C
For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
public boolean isReorderNeeded(String bookISBN, int rateSold) { boolean isReorder = false; int minimumCount = 10; int days = 0; // get inventory count for book int inventoryCount = inventory.getIventoryCount(bookISBN); // find number of days until inventory count reaches minimum while (inventoryCount > minimumCount) { inventoryCount = inventoryCount - rateSold; days++; } // if number of days within reorder timeframe // set reorder return boolean to true if (days > 0 && days < 5) { isReorder = true; } return isReorder; }
Bad · Java
public boolean isReorderNeeded(String bookISBN, int rateSold) { ... // validate rateSold variable if (rateSold < 1) { return isReorder; } ... }
Good · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-32739 libheif is Vulnerable to Infinite Loop DoS via stts Sample Duration Lookup — libheif 6.5 Medium2026-05-19
CVE-2026-42920 BIG-IP DTLS Vulnerability — BIG-IP 7.5 High2026-05-13
CVE-2026-42781 BIG-IP FastL4 virtual server vulnerability — BIG-IP 6.5 Medium2026-05-13
CVE-2026-39806 HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit — bandit--2026-05-13
CVE-2026-44302 Snappier: Infinite loop in SnappyStream decompression on malformed framed input — Snappier 7.5 High2026-05-12
CVE-2026-42899 ASP.NET Core Denial of Service Vulnerability — .NET 10.0 7.5 High2026-05-12
CVE-2026-34962 barebox ext4 Directory Parsing Infinite Loop Denial of Service — barebox 6.2 Medium2026-05-11
CVE-2026-8318 VectifyAI PageIndex PDF Table of Contents page_index.py toc_transformer infinite loop — PageIndex 5.3 Medium2026-05-11
CVE-2026-42310 Pillow: PDF Parsing Trailer Infinite Loop (DoS) — Pillow 5.5 -2026-05-09
CVE-2026-41511 OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle — openmcdf 6.2 Medium2026-05-08
CVE-2026-5407 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6536 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6534 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6531 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6528 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6523 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6521 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6520 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6519 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6522 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-7375 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6985 Cesanta Mongoose TCP Option net_builtin.c handle_opt infinite loop — Mongoose 5.3 Medium2026-04-25
CVE-2026-33116 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability — .NET 10.0 7.5 High2026-04-14
CVE-2026-34852 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.1 Medium2026-04-13
CVE-2026-39934 Growth Experiments ReassignMenteesJob runs as an infinite loop — Mediawiki - GrowthExperiments Extension 5.9AIMediumAI2026-04-07
CVE-2026-33891 Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input — forge 7.5 High2026-03-27
CVE-2026-33699 pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream — pypdf 6.5 -2026-03-26
CVE-2026-4598 jsrsasign 安全漏洞 — jsrsasign 7.5 High2026-03-23
CVE-2026-33013 Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices — micronaut-core 7.5 -2026-03-20
CVE-2026-32889 tinytag: Denial of Service via non-terminating SYLT frame parsing loop — tinytag 6.5 Medium2026-03-20

Vulnerabilities classified as CWE-835 (不可达退出条件的循环(无限循环)) represent 220 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.