CWE-835: Loop with Unreachable Exit Condition (Infinite Loop) — known CVE vulnerabilities
CVEs classified under CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-24816: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/mo…
CVE-2018-20784 — CVSS 9.8 (critical): In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service…
CVE-2017-12997 — CVSS 9.8 (critical): The LLDP parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-lldp.c:lldp_private_8021_print().
CVE-2017-12995 — CVSS 9.8 (critical): The DNS parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-domain.c:ns_print().
CVE-2017-12990 — CVSS 9.8 (critical): The ISAKMP parser in tcpdump before 4.9.2 could enter an infinite loop due to bugs in print-isakmp.c, several functions.
CVE-2026-31448 — CVSS 9.4 (critical): In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod…
CVE-2026-24804: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7603e/src/mt7603_wifi/c…
CVE-2026-24803: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embed…
CVE-2021-42143 — CVSS 9.1 (critical): An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. An infinite loop bug exists during the handling of a…
CVE-2026-25533 — CVSS 8.8 (high): Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in…
CVE-2018-8002 — CVSS 8.8 (high): In PoDoFo 0.9.5, there exists an infinite loop vulnerability in PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may…
CVE-2025-29776: Azle is a WebAssembly runtime for TypeScript and JavaScript on ICP. Calling `setTimer` in Azle versions `0.27.0`, `0.28.0`, and `0.29.0`…
CVE-2025-27497: OpenDJ is an LDAPv3 compliant directory service. OpenDJ prior to 4.9.3 contains a denial-of-service (DoS) vulnerability that causes the…
CVE-2024-8088: There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API…
CVE-2025-20253 — CVSS 8.6 (high): A vulnerability in the IKEv2 feature of Cisco IOS Software, IOS XE Software, Secure Firewall ASA Software, and Secure FTD Software could…
CVE-2025-20243 — CVSS 8.6 (high): A vulnerability in the management and VPN web servers of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an…
CVE-2025-20217 — CVSS 8.6 (high): A vulnerability in the packet inspection functionality of the Snort 3 Detection Engine of Cisco Secure Firewall Threat Defense (FTD)…
CVE-2025-20136 — CVSS 8.6 (high): A vulnerability in the function that performs IPv4 and IPv6 Network Address Translation (NAT) DNS inspection for Cisco Secure Firewall…
CVE-2023-20083 — CVSS 8.6 (high): A vulnerability in ICMPv6 inspection when configured with the Snort 2 detection engine for Cisco Firepower Threat Defense (FTD) Software…
CVE-2024-11595 — CVSS 7.8 (high): FiveCo RAP dissector infinite loop in Wireshark 4.4.0 to 4.4.1 and 4.2.0 to 4.2.8 allows denial of service via packet injection or crafted…
CVE-2024-0211 — CVSS 7.8 (high): DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file
CVE-2017-12412 — CVSS 7.8 (high): ccn-lite-ccnb2xml in CCN-lite before 2.0.0 allows context-dependent attackers to have unspecified impact via a crafted file, which triggers…
CVE-2018-5253 — CVSS 7.8 (high): The AP4_FtypAtom class in Core/Ap4FtypAtom.cpp in Bento4 1.5.1.0 has an Infinite loop via a crafted MP4 file that triggers size mishandling.
CVE-2013-2789 — CVSS 7.8 (high): The Kepware DNP Master Driver for the KEPServerEX Communications Platform before 5.12.140.0 allows remote attackers to cause a denial of…
CVE-2009-1270 — CVSS 7.8 (high): libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted TAR file that…
CVE-2025-20312 — CVSS 7.7 (high): A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote…
CVE-2019-3900 — CVSS 7.7 (high): An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming…
CVE-2026-11352 — CVSS 7.5 (high): An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or…
CVE-2026-54904 — CVSS 7.5 (high): concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry…
CVE-2025-71330 — CVSS 7.5 (high): image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event…
CVE-2025-71329 — CVSS 7.5 (high): image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event…
CVE-2025-71319 — CVSS 7.5 (high): image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event…
CVE-2026-47066 — CVSS 7.5 (high): Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response…
CVE-2026-42920 — CVSS 7.5 (high): When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic…
CVE-2026-39806 — CVSS 7.5 (high): Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via…
CVE-2026-44302 — CVSS 7.5 (high): Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an…
CVE-2026-42899 — CVSS 7.5 (high): Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2026-4890 — CVSS 7.5 (high): A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a…
CVE-2026-29975 — CVSS 7.5 (high): lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string…
CVE-2026-33814 — CVSS 7.5 (high): When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a…
CVE-2026-31552 — CVSS 7.5 (high): In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough…
CVE-2026-23451 — CVSS 7.5 (high): In the Linux kernel, the following vulnerability has been resolved: bonding: prevent potential infinite loop in bond_header_parse()…
CVE-2026-33891 — CVSS 7.5 (high): Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of…
CVE-2026-33699 — CVSS 7.5 (high): pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF…
CVE-2026-32287 — CVSS 7.5 (high): Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be…
CVE-2026-4598 — CVSS 7.5 (high): Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the…
CVE-2026-33013 — CVSS 7.5 (high): Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions…
CVE-2026-32873 — CVSS 7.5 (high): ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers…