CWE-674: Uncontrolled Recursion — known CVE vulnerabilities
CVEs classified under CWE-674 (Uncontrolled Recursion), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-43185 — CVSS 9.8 (critical): In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation()…
CVE-2023-51803 — CVSS 9.8 (critical): LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring.
CVE-2021-41752 — CVSS 9.8 (critical): Stack overflow vulnerability in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on Oct 20, 2021 due to an unbounded…
CVE-2018-1000618 — CVSS 9.8 (critical): EOSIO/eos eos version after commit f1545dd0ae2b77580c2236fdb70ae7138d2c7168 contains a stack overflow vulnerability in abi_serializer that…
CVE-2025-10728: When the module renders a Svg file that contains a <pattern> element, it might end up rendering it recursively leading to stack overflow DoS
CVE-2026-40324 — CVSS 9.1 (critical): Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent…
CVE-2019-9545 — CVSS 8.8 (high): An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be…
CVE-2019-9543 — CVSS 8.8 (high): An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be…
CVE-2019-9144 — CVSS 8.8 (high): An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be…
CVE-2019-9143 — CVSS 8.8 (high): An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be…
CVE-2025-5302 — CVSS 8.6 (high): A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version…
CVE-2024-20311 — CVSS 8.6 (high): A vulnerability in the Locator ID Separation Protocol (LISP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an…
CVE-2024-25111 — CVSS 8.6 (high): Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack…
CVE-2023-50269 — CVSS 8.6 (high): Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9…
CVE-2019-10761 — CVSS 8.3 (high): This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed"…
CVE-2026-8936: Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a…
CVE-2022-41966 — CVSS 8.2 (high): XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application…
CVE-2019-1003011 — CVSS 8.1 (high): An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkin…
CVE-2026-53267 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: bail out on template ct in get eval I noticed this…
CVE-2026-53202 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix signed integer truncation in IPC receive Fix potential…
CVE-2026-23066 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails…
CVE-2025-38459 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported…
CVE-2025-1492 — CVSS 7.8 (high): Bundle Protocol and CBOR dissector crashes in Wireshark 4.4.0 to 4.4.3 and 4.2.0 to 4.2.10 allows denial of service via packet injection or…
CVE-2024-35886 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported…
CVE-2024-0210 — CVSS 7.8 (high): Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file
CVE-2021-46509 — CVSS 7.8 (high): Cesanta MJS v2.20.0 was discovered to contain a stack overflow via snquote at mjs/src/mjs_json.c.
CVE-2018-9918 — CVSS 7.8 (high): libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to…
CVE-2026-38970 — CVSS 7.5 (high): pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends…
CVE-2026-49451 — CVSS 7.5 (high): The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON…
CVE-2026-54297 — CVSS 7.5 (high): Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and…
CVE-2026-48513 — CVSS 7.5 (high): MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by…
CVE-2026-48512 — CVSS 7.5 (high): MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain…
CVE-2026-48506 — CVSS 7.5 (high): MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into…
CVE-2026-48712 — CVSS 7.5 (high): protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth…
CVE-2026-4870 — CVSS 7.5 (high): IBM Qiskit SDK 0.43.0 through 2.5.0 could allow an attacker to trigger a segmentation fault leading to a denial of service due to…
CVE-2026-9740 — CVSS 7.5 (high): A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially…
CVE-2026-46373 — CVSS 7.5 (high): SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in…
CVE-2026-49847 — CVSS 7.5 (high): FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software…
CVE-2026-49941 — CVSS 7.5 (high): Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses…
CVE-2026-6479 — CVSS 7.5 (high): Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve…
CVE-2026-44289 — CVSS 7.5 (high): protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth…
CVE-2026-41311 — CVSS 7.5 (high): LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in…
CVE-2026-41673 — CVSS 7.5 (high): xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to…
CVE-2026-44028 — CVSS 7.5 (high): An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a…
CVE-2026-7164 — CVSS 7.5 (high): Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and…
CVE-2026-41636 — CVSS 7.5 (high): Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are…
CVE-2026-42039 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects…
CVE-2026-40879 — CVSS 7.5 (high): Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON…