CWE-834: Excessive Iteration — known CVE vulnerabilities
CVEs classified under CWE-834 (Excessive Iteration), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2017-12587 — CVSS 8.8 (high): ImageMagick 7.0.6-1 has a large loop vulnerability in the ReadPWPImage function in coders\pwp.c.
CVE-2025-62707 — CVSS 7.5 (high): pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF…
CVE-2025-56571 — CVSS 7.5 (high): Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the…
CVE-2024-4227 — CVSS 7.5 (high): In Genivia gSOAP with a specific configuration an unauthenticated remote attacker can generate a high CPU load when forcing to parse an XML…
CVE-2023-49316 — CVSS 7.5 (high): In Math/BinaryField.php in phpseclib 3 before 3.0.34, excessively large degrees can lead to a denial of service.
CVE-2023-5632 — CVSS 7.5 (high): In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT…
CVE-2023-38200 — CVSS 7.5 (high): A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL…
CVE-2021-4021 — CVSS 7.5 (high): A vulnerability was found in Radare2 in versions prior to 5.6.2, 5.6.0, 5.5.4 and 5.5.2. Mapping a huge section filled with zeros of an…
CVE-2021-4190 — CVSS 7.5 (high): Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of service via packet injection or crafted capture file
CVE-2021-39924 — CVSS 7.5 (high): Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or…
CVE-2021-39923 — CVSS 7.5 (high): Large loop in the PNRP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted…
CVE-2021-39204 — CVSS 7.5 (high): Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams…
CVE-2021-3128 — CVSS 7.5 (high): In ASUS RT-AX3000, ZenWiFi AX (XT8), RT-AX88U, and other ASUS routers with firmware < 3.0.0.4.386.42095 or < 9.0.0.4.386.41994, when IPv6…
CVE-2021-23270 — CVSS 7.5 (high): In Gargoyle OS 1.12.0, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and…
CVE-2020-35573 — CVSS 7.5 (high): srs2.c in PostSRSd before 1.10 allows remote attackers to cause a denial of service (CPU consumption) via a long timestamp tag in an SRS…
CVE-2020-14303 — CVSS 7.5 (high): A flaw was found in the AD DC NBT server in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4. A samba user could send an…
CVE-2018-14342 — CVSS 7.5 (high): In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the BGP protocol dissector could go into a large loop. This was addressed…
CVE-2018-9261 — CVSS 7.5 (high): In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the NBAP dissector could crash with a large loop that ends with a heap-based buffer…
CVE-2018-7323 — CVSS 7.5 (high): In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-wccp.c had a large loop that was addressed by ensuring that a…
CVE-2018-7321 — CVSS 7.5 (high): In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-thrift.c had a large loop that was addressed by not proceeding with…
CVE-2017-11409 — CVSS 7.5 (high): In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go into a large loop. This was addressed in epan/dissectors/packet-gprs-llc.c by…
CVE-2017-11188 — CVSS 7.5 (high): The ReadDPXImage function in coders\dpx.c in ImageMagick 7.0.6-0 has a large loop vulnerability that can cause CPU exhaustion via a crafted…
CVE-2026-41313 — CVSS 6.5 (medium): pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft…
CVE-2024-8049 — CVSS 6.5 (medium): In Progress Telerik Document Processing Libraries, versions prior to 2024 Q4 (2024.4.1106), importing a document with unsupported features…
CVE-2023-29407 — CVSS 6.5 (medium): A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can…
CVE-2021-43545 — CVSS 6.5 (medium): Using the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < 91.4.0…
CVE-2018-20805 — CVSS 6.5 (medium): A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an…
CVE-2018-11507 — CVSS 6.5 (medium): An issue was discovered in Free Lossless Image Format (FLIF) 0.3. An attacker can trigger a long loop in image_load_pnm in…
CVE-2018-9133 — CVSS 6.5 (medium): ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a…
CVE-2017-17914 — CVSS 6.5 (medium): In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a…
CVE-2017-14222 — CVSS 6.5 (medium): In libavformat/mov.c in FFmpeg 3.3.3, a DoS in read_tfra() due to lack of an EOF (End of File) check might cause huge CPU and memory…
CVE-2017-14175 — CVSS 6.5 (medium): In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due to lack of an EOF (End of File) check might cause huge CPU…
CVE-2017-14174 — CVSS 6.5 (medium): In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due to lack of an EOF (End of File) check might cause huge CPU…
CVE-2017-14172 — CVSS 6.5 (medium): In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due to lack of an EOF (End of File) check might cause huge CPU…
CVE-2017-14171 — CVSS 6.5 (medium): In libavformat/nsvdec.c in FFmpeg 2.4 and 3.3.3, a DoS in nsv_parse_NSVf_header() due to lack of an EOF (End of File) check might cause…
CVE-2017-14170 — CVSS 6.5 (medium): In libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, a DoS in mxf_read_index_entry_array() due to lack of an EOF (End of File) check might cause…
CVE-2017-14059 — CVSS 6.5 (medium): In FFmpeg 3.3.3, a DoS in cine_read_header() due to lack of an EOF check might cause huge CPU and memory consumption. When a crafted CINE…
CVE-2017-14057 — CVSS 6.5 (medium): In FFmpeg 3.3.3, a DoS in asf_read_marker() due to lack of an EOF (End of File) check might cause huge CPU and memory consumption. When a…
CVE-2017-14056 — CVSS 6.5 (medium): In libavformat/rl2.c in FFmpeg 3.3.3, a DoS in rl2_read_header() due to lack of an EOF (End of File) check might cause huge CPU and memory…
CVE-2017-14055 — CVSS 6.5 (medium): In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due to lack of an EOF (End of File) check might cause huge CPU and memory…
CVE-2017-14054 — CVSS 6.5 (medium): In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due to lack of an EOF (End of File) check might cause huge CPU…
CVE-2017-13777 — CVSS 6.5 (medium): GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version==10 case that results…
CVE-2017-13776 — CVSS 6.5 (medium): GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case that results…
CVE-2017-12674 — CVSS 6.5 (medium): In ImageMagick 7.0.6-2, a CPU exhaustion vulnerability was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to…
CVE-2017-11505 — CVSS 6.5 (medium): The ReadOneJNGImage function in coders/png.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a…
CVE-2017-11360 — CVSS 6.5 (medium): The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a large loop vulnerability via a crafted rle file that triggers a huge…
CVE-2023-1993 — CVSS 6.3 (medium): LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture…