Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-835 (不可达退出条件的循环(无限循环)) — Vulnerability Class 212

212 vulnerabilities classified as CWE-835 (不可达退出条件的循环(无限循环)). AI Chinese analysis included.

CWE-835 represents a logic error where a software loop lacks a reachable termination condition, resulting in an infinite execution cycle. This weakness typically manifests when developers fail to update loop variables correctly or rely on floating-point comparisons prone to precision errors. Attackers exploit this vulnerability to trigger Denial of Service (DoS) attacks by consuming excessive CPU resources, effectively freezing the application or system. To mitigate this risk, developers must ensure loop counters are properly incremented or decremented within the iteration body. Implementing strict boundary checks, avoiding direct equality comparisons with floating-point numbers, and utilizing static analysis tools can help detect unreachable exit conditions early. Additionally, incorporating timeout mechanisms or maximum iteration limits provides a safety net, ensuring that even if logic errors occur, the process terminates gracefully without exhausting system resources.

MITRE CWE Description
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification
An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond.
Examples (2)
In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.
int processMessagesFromServer(char *hostaddr, int port) { ... int servsock; int connected; struct sockaddr_in servaddr; // create socket to connect to server servsock = socket( AF_INET, SOCK_STREAM, 0); memset( &servaddr, 0, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_port = htons(port); servaddr.sin_addr.s_addr = inet_addr(hostaddr); do { // establish connection to server connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); // if connected then read and process messages from server if (connected > -1) { // read and process messages ... } // keep tr
Bad · C
int processMessagesFromServer(char *hostaddr, int port) { ... // initialize number of attempts counter int count = 0; do { // establish connection to server connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); // increment counter count++; // if connected then read and process messages from server if (connected > -1) { // read and process messages ... } // keep trying to establish connection to the server // up to a maximum number of attempts } while (connected < 0 && count < MAX_ATTEMPTS); // close socket and return success or failure ... }
Good · C
For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
public boolean isReorderNeeded(String bookISBN, int rateSold) { boolean isReorder = false; int minimumCount = 10; int days = 0; // get inventory count for book int inventoryCount = inventory.getIventoryCount(bookISBN); // find number of days until inventory count reaches minimum while (inventoryCount > minimumCount) { inventoryCount = inventoryCount - rateSold; days++; } // if number of days within reorder timeframe // set reorder return boolean to true if (days > 0 && days < 5) { isReorder = true; } return isReorder; }
Bad · Java
public boolean isReorderNeeded(String bookISBN, int rateSold) { ... // validate rateSold variable if (rateSold < 1) { return isReorder; } ... }
Good · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-50319 Ivanti Avalanche 安全漏洞 — Avalanche 7.5 High2024-11-12
CVE-2024-11097 SourceCodester Student Record Management System Main Menu infinite loop — Student Record Management System 3.3 Low2024-11-12
CVE-2024-33623 LevelOne WBR-6012 安全漏洞 — WBR-6012 3.7 Low2024-10-30
CVE-2024-43512 Windows Standards-Based Storage Management Service Denial of Service Vulnerability — Windows Server 2019 6.5 Medium2024-10-08
CVE-2024-45395 Unbounded loop over untrusted input can lead to endless data attack — sigstore-go 3.1 Low2024-09-04
CVE-2024-8088 Infinite loop when iterating over zip archive entry names from zipfile.Path — CPython 6.5 -2024-08-22
CVE-2024-43366 zkvyper ignored loop range bounds — era-compiler-vyper 7.5 High2024-08-15
CVE-2024-42358 Loop with Unreachable Exit Condition ('Infinite Loop') in pdfio — pdfio 6.2 Medium2024-08-06
CVE-2024-23352 Loop with Unreachable Exit Condition (`Infinite Loop`) in Multi Mode Call Processor — Snapdragon 7.5 High2024-08-05
CVE-2024-5569 Denial of Service via crafted zip file in jaraco/zipp — jaraco/zipp 6.5 -2024-07-09
CVE-2024-6227 Infinite Loop in aimhubio/aim — aimhubio/aim 7.5 High2024-07-08
CVE-2024-36990 Denial of Service (DoS) on the datamodel/web REST endpoint — Splunk Enterprise 6.5 Medium2024-07-01
CVE-2024-6061 GPAC MP4Box isoffin_read.c isoffin_process infinite loop — GPAC 3.3 Low2024-06-17
CVE-2024-5949 Deep Sea Electronics DSE855 Multipart Boundary Infinite Loop Denial-of-Service Vulnerability — DSE855 6.5AIMediumAI2024-06-13
CVE-2023-50763 多款Siemens产品 安全漏洞 — SIMATIC CP 1542SP-1 4.9 Medium2024-06-11
CVE-2024-32976 Envoy can enter an endless loop while decompressing Brotli data with extra input — envoy 7.5 High2024-06-04
CVE-2024-4854 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark — Wireshark 6.4 Medium2024-05-14
CVE-2024-32886 Vitess vulnerable to infinite memory consumption and vtgate crash — vitess 4.9 Medium2024-05-08
CVE-2024-30251 Denial of service when trying to parse malformed POST requests in aiohttp — aiohttp 7.5 High2024-05-02
CVE-2024-20353 Cisco Firepower Threat Defense和Cisco Adaptive Security Appliance 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software 8.6 High2024-04-24
CVE-2024-32650 Rustls vulnerable to an infinite loop in rustls::conn::ConnectionCommon::complete_io() with proper client input — rustls 7.5 High2024-04-19
CVE-2024-2397 infinite loop in the PPP printer of tcpdump — tcpdump 6.2 Medium2024-04-12
CVE-2024-24746 Apache NimBLE: Denial of service in NimBLE Bluetooth stack — Apache NimBLE 6.5 -2024-04-06
CVE-2024-29904 CodeIgniter4 Language class DoS Vulnerability — CodeIgniter4 7.5 High2024-03-29
CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability — Windows 10 Version 1809 5.5 Medium2024-03-12
CVE-2024-1931 Denial of service when trimming EDE text on positive replies — Unbound 7.5 High2024-03-07
CVE-2024-25710 Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file — Apache Commons Compress 8.1 High2024-02-19
CVE-2024-25144 Liferay Portal和Liferay DXP 安全漏洞 — Portal 4.1 Medium2024-02-08
CVE-2023-45233 Infinite loop in EDK II Network Package — edk2 7.5 High2024-01-16
CVE-2023-45232 Infinite loop in EDK II Network Package — edk2 7.5 High2024-01-16

Vulnerabilities classified as CWE-835 (不可达退出条件的循环(无限循环)) represent 212 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.