Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-835 (不可达退出条件的循环(无限循环)) — Vulnerability Class 212

212 vulnerabilities classified as CWE-835 (不可达退出条件的循环(无限循环)). AI Chinese analysis included.

CWE-835 represents a logic error where a software loop lacks a reachable termination condition, resulting in an infinite execution cycle. This weakness typically manifests when developers fail to update loop variables correctly or rely on floating-point comparisons prone to precision errors. Attackers exploit this vulnerability to trigger Denial of Service (DoS) attacks by consuming excessive CPU resources, effectively freezing the application or system. To mitigate this risk, developers must ensure loop counters are properly incremented or decremented within the iteration body. Implementing strict boundary checks, avoiding direct equality comparisons with floating-point numbers, and utilizing static analysis tools can help detect unreachable exit conditions early. Additionally, incorporating timeout mechanisms or maximum iteration limits provides a safety net, ensuring that even if logic errors occur, the process terminates gracefully without exhausting system resources.

MITRE CWE Description
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification
An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond.
Examples (2)
In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.
int processMessagesFromServer(char *hostaddr, int port) { ... int servsock; int connected; struct sockaddr_in servaddr; // create socket to connect to server servsock = socket( AF_INET, SOCK_STREAM, 0); memset( &servaddr, 0, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_port = htons(port); servaddr.sin_addr.s_addr = inet_addr(hostaddr); do { // establish connection to server connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); // if connected then read and process messages from server if (connected > -1) { // read and process messages ... } // keep tr
Bad · C
int processMessagesFromServer(char *hostaddr, int port) { ... // initialize number of attempts counter int count = 0; do { // establish connection to server connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); // increment counter count++; // if connected then read and process messages from server if (connected > -1) { // read and process messages ... } // keep trying to establish connection to the server // up to a maximum number of attempts } while (connected < 0 && count < MAX_ATTEMPTS); // close socket and return success or failure ... }
Good · C
For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
public boolean isReorderNeeded(String bookISBN, int rateSold) { boolean isReorder = false; int minimumCount = 10; int days = 0; // get inventory count for book int inventoryCount = inventory.getIventoryCount(bookISBN); // find number of days until inventory count reaches minimum while (inventoryCount > minimumCount) { inventoryCount = inventoryCount - rateSold; days++; } // if number of days within reorder timeframe // set reorder return boolean to true if (days > 0 && days < 5) { isReorder = true; } return isReorder; }
Bad · Java
public boolean isReorderNeeded(String bookISBN, int rateSold) { ... // validate rateSold variable if (rateSold < 1) { return isReorder; } ... }
Good · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-27024 pypdf has a possible infinite loop when processing TreeObject — pypdf 6.5AIMediumAI2026-02-20
CVE-2026-2739 bn.js 安全漏洞 — bn.js 5.3 Medium2026-02-20
CVE-2026-27114 NanaZip has ROMFS Archive Infinite Loop — NanaZip 7.5 -2026-02-19
CVE-2026-25533 Enclave has a sandbox escape via infinite recursion and error objects — enclave 8.8AIHighAI2026-02-06
CVE-2025-64438 Fast-DDS: Unbounded GAP range triggers OOM DoS under RELIABLE QoS — Fast-DDS 7.5AIHighAI2026-02-03
CVE-2026-24688 pypdf has possible Infinite Loop when processing outlines/bookmarks — pypdf 7.5AIHighAI2026-01-27
CVE-2026-24831 Infinite loop (DoS) in ixray-1.6-stcop — ixray-1.6-stcop 7.5 High2026-01-27
CVE-2026-24816 Cookie Security Vulnerabilities in datavane/tis — tis 7.5AIHighAI2026-01-27
CVE-2026-24804 A infinite loop vulnerability in coolsnowwolf/lede — lede 7.5AIHighAI2026-01-27
CVE-2026-24803 A possible infinite loop vulnerability in coolsnowwolf/lede — lede 7.5AIHighAI2026-01-27
CVE-2026-24802 Buffer Overflow Vulnerability in briandilley/jsonrpc4j — jsonrpc4j 7.5AIHighAI2026-01-27
CVE-2025-13335 Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab — GitLab 6.5 Medium2026-01-22
CVE-2026-23874 ImageMagick's MSL: Stack overflow via infinite recursion in ProcessMSLScript — ImageMagick 5.5 Medium2026-01-20
CVE-2026-21905 Junos OS: SRX Series, MX Series with MX-SPC3 or MS-MPC: Receipt of multiple specific SIP messages results in flow management process crash — Junos OS 7.5 High2026-01-15
CVE-2026-0960 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 4.7 Medium2026-01-14
CVE-2026-21507 iccDEV is Vulnerable to Denial of Service via Infinite Loop in CalcProfileID() — iccDEV 7.5 High2026-01-06
CVE-2025-69227 AIOHTTP vulnerable to DoS when bypassing asserts — aiohttp 7.5 -2026-01-05
CVE-2025-13946 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2025-12-03
CVE-2025-66252 Infinite Loop Denial of Service via Failed File Deletion — Mozart FM Transmitter 7.5AIHighAI2025-11-26
CVE-2025-41075 Multiple vulnerabilities in Limesurvey — LimeSurvey 6.5 -2025-11-20
CVE-2025-41074 Multiple vulnerabilities in Limesurvey — LimeSurvey 6.5 -2025-11-20
CVE-2025-11626 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 5.5 Medium2025-10-10
CVE-2025-20312 Cisco IOS XE 安全漏洞 — Cisco IOS XE Software 7.7 High2025-09-24
CVE-2025-30187 Denial of service via crafted DoH exchange in PowerDNS DNSdist — DNSdist 3.7 Low2025-09-18
CVE-2025-20253 Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 8.6 High2025-08-14
CVE-2025-20243 Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 8.6 High2025-08-14
CVE-2025-20217 Cisco Firepower Threat Defense Intrusion Detection Denial of Service Vulnerability — Cisco Firepower Threat Defense Software 8.6 High2025-08-14
CVE-2025-20136 Cisco Adaptive Security Appliance and Firepower Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 8.6 High2025-08-14
CVE-2025-7054 Infinite loop triggered by connection ID retirement — quiche 6.5AIMediumAI2025-08-07
CVE-2023-2593 Kernel: ksmbd memory exhaustion denial-of-service vulnerability 5.9 Medium2025-07-30

Vulnerabilities classified as CWE-835 (不可达退出条件的循环(无限循环)) represent 212 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.