Threats Tagged 'cwe-835'

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with threads/articles into a writer. This vulnerability is fixed in 6.13.1.

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer. This vulnerability is fixed in 6.13.0.

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode. This vulnerability is fixed in 6.13.0.

pam_usb provides hardware authentication for Linux using removable media. In pam_usb 0.9.1 and earlier, usb_get_process_parent_id() can cause an infinite loop DoS because it does not initialize *ppid on failure. In pusb_local_login(), the same variable is reused as input and output in a process-tree while loop; if /proc/<pid>/stat cannot be read (for example, when an ancestor process exits during authentication), the PID is not updated and the loop does not terminate. This hangs the authenticating process (such as sudo, sshd, or login) until it is forcibly terminated. This issue has been fixed in version 0.9.2.

CVE-2026-54417 is an integer overflow vulnerability in the mtar_next() function of rxi microtar version 0.1.0. The vulnerability occurs when processing crafted tar archives with a header size field that causes 32-bit arithmetic overflow, leading to an infinite loop and 100% CPU usage. This results in a denial of service condition. No official patch or remediation has been indicated yet.

Windows Standards-Based Storage Management Service Denial of Service Vulnerability

CVE-2026-44186 is a high-severity vulnerability in the Apache HTTP Server's mod_proxy_ftp module that causes an infinite loop due to an unreachable exit condition. This affects versions from 2.4.0 through 2.4.67. The vulnerability can be triggered by an attacker-controlled backend FTP server. Users are advised to upgrade to version 2.4.68, which addresses this issue.

The go-billy filesystem abstraction for Go prior to version 5.9.0 and including 6.0.0-alpha.1 contains vulnerabilities related to uncontrolled recursion and improper handling of malformed input. These issues can cause panics, infinite loops, or excessive resource consumption due to missing safety mechanisms like cycle detection and recursion limits. The vulnerability has been addressed in versions 5.9.0 and 6.0.0-alpha.1.

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates.mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.