CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-V6W7-GQ3G-FWVM
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-06-04 00:00A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2021-20255"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"id": "GHSA-v6w7-gq3g-fwvm",
"modified": "2022-06-04T00:00:55Z",
"published": "2022-05-24T17:43:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20255"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930646"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html"
},
{
"type": "WEB",
"url": "https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210507-0003"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/02/25/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V78M-2Q7V-FJQP
Vulnerability from github – Published: 2022-06-22 17:52 – Updated: 2022-07-12 21:59Impact
When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately.
This is a security concern for you, if - your service parses untrusted rulex expressions (expressions provided by an untrusted user), and - your service becomes unavailable when the process running rulex aborts due to a stack overflow.
Patches
The crash is fixed in version 0.4.3. Affected users are advised to update to this version.
Workarounds
None.
For more information
If you have any questions or comments about this advisory: * Open an issue in rulex * Email me at ludwig.stecher@gmx.de
Credits
Credit for finding these bugs goes to
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rulex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31099"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-22T17:52:51Z",
"nvd_published_at": "2022-06-27T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhen parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately.\n\nThis is a security concern for you, if\n- your service parses untrusted rulex expressions (expressions provided by an untrusted user), and\n- your service becomes unavailable when the process running rulex aborts due to a stack overflow.\n\n### Patches\nThe crash is fixed in version **0.4.3**. Affected users are advised to update to this version.\n\n### Workarounds\nNone.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [rulex](https://github.com/rulex-rs/rulex/issues)\n* Email me at [ludwig.stecher@gmx.de](mailto:ludwig.stecher@gmx.de)\n\n### Credits\n\nCredit for finding these bugs goes to\n\n- [evanrichter](https://github.com/evanrichter)\n- [ForAllSecure Mayhem](https://forallsecure.com/)\n- [cargo fuzz](https://github.com/rust-fuzz/cargo-fuzz) and [afl.rs](https://github.com/rust-fuzz/afl.rs)",
"id": "GHSA-v78m-2q7v-fjqp",
"modified": "2022-07-12T21:59:11Z",
"published": "2022-06-22T17:52:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rulex-rs/rulex/security/advisories/GHSA-v78m-2q7v-fjqp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31099"
},
{
"type": "WEB",
"url": "https://github.com/rulex-rs/rulex/commit/60aa2dc03a22d69c8800fec81f99c96958a11363"
},
{
"type": "PACKAGE",
"url": "https://github.com/rulex-rs/rulex"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0030.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Recursion in rulex"
}
GHSA-V7CF-C9RM-WM3J
Vulnerability from github – Published: 2026-03-17 14:07 – Updated: 2026-03-17 14:07Summary
justhtml through 1.9.1 allows denial of service via deeply nested HTML. During parsing, JustHTML.__init__() always reaches TreeBuilder.finish(), which unconditionally calls _populate_selectedcontent(). That function recursively traverses the DOM via _find_elements() / _find_element() without a depth bound, allowing attacker-controlled deeply nested input to trigger an unhandled RecursionError on CPython. Depending on the host application's exception handling, this can abort parsing, fail requests, or terminate a worker/process.
Details
TreeBuilder.finish() (treebuilder.py#L476) unconditionally calls _populate_selectedcontent(self.document) at line 494. _populate_selectedcontent() (treebuilder.py#L1243) calls _find_elements() (treebuilder.py#L1280) to recursively search the DOM tree for <select> elements:
def _find_elements(self, node: Any, name: str, result: list[Any]) -> None:
"""Recursively find all elements with given name."""
if node.name == name:
result.append(node)
if node.has_child_nodes():
for child in node.children:
self._find_elements(child, name, result) # recursive call
When the DOM tree depth exceeds CPython's default recursion limit (1000), this raises an unhandled RecursionError. The full call path is:
JustHTML(html) → tokenizer.run() → tree_builder.finish() → _populate_selectedcontent(document) → _find_elements(root, "select", selects) (recursive)
Deeply nested DOM trees can be produced by nesting <div> tags ~1000 levels deep. On CPython with the default recursion limit, approximately 11 KB of <div> nesting is sufficient to trigger the error. The exact depth threshold is environment-dependent (CPython version, recursion limit setting, call stack depth at invocation).
Additional recursive functions are affected on already-parsed deep trees:
- Node.clone_node(deep=True) (node.py#L523) — called during sanitization
- _node_to_html() (serialize.py#L580) — used by to_html(pretty=True)
- _to_markdown_walk() (node.py#L817) — used by to_markdown()
Note: the library already uses iterative traversal in several comparable functions (e.g., _node_to_html_compact at serialize.py#L197, _to_text_collect at node.py#L161, _is_blocky_element at serialize.py#L405, apply_to_children at transforms.py#L1642), demonstrating the correct pattern.
PoC
from justhtml import JustHTML
html = "<div>" * 1000 + "x" + "</div>" * 1000
doc = JustHTML(html) # raises RecursionError
Test environment: CPython 3.14.3, macOS ARM64 (Apple Silicon), justhtml 1.9.1, default recursion limit (1000)
| Input | Size | Result |
|---|---|---|
<div> × 500 |
5,501 bytes | OK |
<div> × 800 |
8,801 bytes | OK |
<div> × 1000 |
11,001 bytes | RecursionError |
The error occurs with both sanitize=True (default) and sanitize=False.
Impact
An attacker who can supply HTML for parsing can trigger an unhandled RecursionError during JustHTML() construction. The error is triggered during construction and is not avoided by justhtml configuration alone; mitigating it requires host-application exception handling or input constraints. Depending on the host application's exception handling, this can abort parsing, fail requests, or terminate a worker/process.
Suggested Fix
Convert the recursive tree traversal functions to iterative implementations using an explicit stack. Example for _find_elements:
def _find_elements(self, node: Any, name: str, result: list[Any]) -> None:
stack = [node]
while stack:
current = stack.pop()
if current.name == name:
result.append(current)
if current.has_child_nodes():
stack.extend(reversed(current.children))
The same conversion should be applied to _find_element, clone_node(deep=True), _node_to_html(), and _to_markdown_walk().
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.9.1"
},
"package": {
"ecosystem": "PyPI",
"name": "justhtml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T14:07:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\njusthtml through 1.9.1 allows denial of service via deeply nested HTML. During parsing, `JustHTML.__init__()` always reaches `TreeBuilder.finish()`, which unconditionally calls `_populate_selectedcontent()`. That function recursively traverses the DOM via `_find_elements()` / `_find_element()` without a depth bound, allowing attacker-controlled deeply nested input to trigger an unhandled `RecursionError` on CPython. Depending on the host application\u0027s exception handling, this can abort parsing, fail requests, or terminate a worker/process.\n\n### Details\n\n`TreeBuilder.finish()` ([`treebuilder.py#L476`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L476)) unconditionally calls `_populate_selectedcontent(self.document)` at [line 494](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L494). `_populate_selectedcontent()` ([`treebuilder.py#L1243`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L1243)) calls `_find_elements()` ([`treebuilder.py#L1280`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L1280)) to recursively search the DOM tree for `\u003cselect\u003e` elements:\n\n```python\ndef _find_elements(self, node: Any, name: str, result: list[Any]) -\u003e None:\n \"\"\"Recursively find all elements with given name.\"\"\"\n if node.name == name:\n result.append(node)\n if node.has_child_nodes():\n for child in node.children:\n self._find_elements(child, name, result) # recursive call\n```\n\nWhen the DOM tree depth exceeds CPython\u0027s default recursion limit (1000), this raises an unhandled `RecursionError`. The full call path is:\n\n`JustHTML(html)` \u2192 `tokenizer.run()` \u2192 `tree_builder.finish()` \u2192 `_populate_selectedcontent(document)` \u2192 `_find_elements(root, \"select\", selects)` (recursive)\n\nDeeply nested DOM trees can be produced by nesting `\u003cdiv\u003e` tags ~1000 levels deep. On CPython with the default recursion limit, approximately 11 KB of `\u003cdiv\u003e` nesting is sufficient to trigger the error. The exact depth threshold is environment-dependent (CPython version, recursion limit setting, call stack depth at invocation).\n\nAdditional recursive functions are affected on already-parsed deep trees:\n- `Node.clone_node(deep=True)` ([`node.py#L523`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L523)) \u2014 called during sanitization\n- `_node_to_html()` ([`serialize.py#L580`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L580)) \u2014 used by `to_html(pretty=True)`\n- `_to_markdown_walk()` ([`node.py#L817`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L817)) \u2014 used by `to_markdown()`\n\nNote: the library already uses iterative traversal in several comparable functions (e.g., `_node_to_html_compact` at [`serialize.py#L197`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L197), `_to_text_collect` at [`node.py#L161`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L161), `_is_blocky_element` at [`serialize.py#L405`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L405), `apply_to_children` at [`transforms.py#L1642`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/transforms.py#L1642)), demonstrating the correct pattern.\n\n### PoC\n\n```python\nfrom justhtml import JustHTML\n\nhtml = \"\u003cdiv\u003e\" * 1000 + \"x\" + \"\u003c/div\u003e\" * 1000\ndoc = JustHTML(html) # raises RecursionError\n```\n\nTest environment: CPython 3.14.3, macOS ARM64 (Apple Silicon), justhtml 1.9.1, default recursion limit (1000)\n\n| Input | Size | Result |\n|-------|------|--------|\n| `\u003cdiv\u003e` \u00d7 500 | 5,501 bytes | OK |\n| `\u003cdiv\u003e` \u00d7 800 | 8,801 bytes | OK |\n| `\u003cdiv\u003e` \u00d7 1000 | 11,001 bytes | RecursionError |\n\nThe error occurs with both `sanitize=True` (default) and `sanitize=False`.\n\n### Impact\n\nAn attacker who can supply HTML for parsing can trigger an unhandled `RecursionError` during `JustHTML()` construction. The error is triggered during construction and is not avoided by `justhtml` configuration alone; mitigating it requires host-application exception handling or input constraints. Depending on the host application\u0027s exception handling, this can abort parsing, fail requests, or terminate a worker/process.\n\n### Suggested Fix\n\nConvert the recursive tree traversal functions to iterative implementations using an explicit stack. Example for `_find_elements`:\n\n```python\ndef _find_elements(self, node: Any, name: str, result: list[Any]) -\u003e None:\n stack = [node]\n while stack:\n current = stack.pop()\n if current.name == name:\n result.append(current)\n if current.has_child_nodes():\n stack.extend(reversed(current.children))\n```\n\nThe same conversion should be applied to `_find_element`, `clone_node(deep=True)`, `_node_to_html()`, and `_to_markdown_walk()`.",
"id": "GHSA-v7cf-c9rm-wm3j",
"modified": "2026-03-17T14:07:38Z",
"published": "2026-03-17T14:07:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-v7cf-c9rm-wm3j"
},
{
"type": "PACKAGE",
"url": "https://github.com/EmilStenstrom/justhtml"
},
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/releases/tag/v1.10.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Uncontrolled recursion DoS in JustHTML() via deeply nested HTML"
}
GHSA-V84H-MWMJ-46PF
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file.
{
"affected": [],
"aliases": [
"CVE-2019-6292"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-15T00:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file.",
"id": "GHSA-v84h-mwmj-46pf",
"modified": "2022-05-13T01:22:41Z",
"published": "2022-05-13T01:22:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6292"
},
{
"type": "WEB",
"url": "https://github.com/jbeder/yaml-cpp/issues/657"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V9QG-3J8P-R63V
Vulnerability from github – Published: 2019-08-06 01:43 – Updated: 2024-09-20 16:09An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.11a1"
},
{
"fixed": "1.11.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "2.1a1"
},
{
"fixed": "2.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "2.2a1"
},
{
"fixed": "2.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14235"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2019-08-06T01:34:47Z",
"nvd_published_at": "2019-08-02T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.",
"id": "GHSA-v9qg-3j8p-r63v",
"modified": "2024-09-20T16:09:20Z",
"published": "2019-08-06T01:43:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14235"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/dev/releases/security"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-v9qg-3j8p-r63v"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-14.yaml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Aug/15"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202004-17"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190828-0002"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4498"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Uncontrolled Recursion in Django"
}
GHSA-VC69-VR6F-4X67
Vulnerability from github – Published: 2026-05-15 00:30 – Updated: 2026-05-15 00:30Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server.
{
"affected": [],
"aliases": [
"CVE-2026-6811"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T22:16:45Z",
"severity": "MODERATE"
},
"details": "Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server.",
"id": "GHSA-vc69-vr6f-4x67",
"modified": "2026-05-15T00:30:30Z",
"published": "2026-05-15T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6811"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/PHPC-2636"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VCG7-GX5W-X44C
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.
By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.
This fix replaces min_t(int, ...) with min_t(u32)
{
"affected": [],
"aliases": [
"CVE-2026-43185"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:37Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix signededness bug in smb_direct_prepare_negotiation()\n\nsmb_direct_prepare_negotiation() casts an unsigned __u32 value\nfrom sp-\u003emax_recv_size and req-\u003epreferred_send_size to a signed\nint before computing min_t(int, ...). A maliciously provided\npreferred_send_size of 0x80000000 will return as smaller than\nmax_recv_size, and then be used to set the maximum allowed\nalowed receive size for the next message.\n\nBy sending a second message with a large value (\u003e1420 bytes)\nthe attacker can then achieve a heap buffer overflow.\n\nThis fix replaces min_t(int, ...) with min_t(u32)",
"id": "GHSA-vcg7-gx5w-x44c",
"modified": "2026-05-08T15:31:16Z",
"published": "2026-05-06T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43185"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VF74-69RC-VMQ4
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34Stack overflow vulnerability due to uncontrolled recursion in Avast Antivirus when scanning a malformed PDF file may allow Denial-of-Service of the antivirus process.
This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021208.
The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.
{
"affected": [],
"aliases": [
"CVE-2025-7010"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:49Z",
"severity": "MODERATE"
},
"details": "Stack overflow vulnerability due to uncontrolled recursion in Avast Antivirus when scanning a malformed PDF file may allow Denial-of-Service of the antivirus process.\n\nThis issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021208.\n\n\n\nThe affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.",
"id": "GHSA-vf74-69rc-vmq4",
"modified": "2026-06-13T00:34:30Z",
"published": "2026-06-13T00:34:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7010"
},
{
"type": "WEB",
"url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VGM6-C9JX-RM2C
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-07-01 00:01uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality).
{
"affected": [],
"aliases": [
"CVE-2021-36773"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-18T04:15:00Z",
"severity": "HIGH"
},
"details": "uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality).",
"id": "GHSA-vgm6-c9jx-rm2c",
"modified": "2022-07-01T00:01:15Z",
"published": "2022-05-24T19:08:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36773"
},
{
"type": "WEB",
"url": "https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=27833752"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VH6J-JC39-FGGF
Vulnerability from github – Published: 2026-06-25 18:46 – Updated: 2026-06-25 18:46Summary
MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs.
Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException.
Impact
Applications that deserialize untrusted MessagePack payloads are affected when a formatter skips attacker-controlled values. This is a broad deserialization path and can be reached during normal object deserialization when an input includes an unknown member or extra value.
The attacker does not need to target a special resolver or compression mode. A payload containing many nested single-element arrays or maps in a skipped location can exhaust the process stack. Because StackOverflowException is not catchable in normal .NET execution, this terminates the host process and can deny service to other users of the same process.
MessagePackSecurity.UntrustedData does not mitigate this issue because the skip path does not participate in depth accounting.
Affected components
- Package:
MessagePack - APIs:
MessagePackReader.Skip,MessagePackReader.TrySkip, and formatter paths that skip unknown or ignored values - Finding IDs:
MESSAGEPACKCSHARP-021, duplicate/open variantMESSAGEPACKCSHARP-OPEN-001
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should either make skip traversal iterative or apply the existing depth accounting to arrays and maps encountered by TrySkip(). Any exceeded depth limit should result in a catchable serialization exception instead of process stack exhaustion.
Workarounds
Patching is recommended.
There is no complete workaround for applications that deserialize untrusted MessagePack payloads with affected versions. Reducing accepted message sizes can raise the cost of exploitation but does not remove the recursive skip behavior. Strict schema validation outside MessagePack-CSharp may help only if it rejects unknown or skipped fields before the serializer sees them.
Resources
MESSAGEPACKCSHARP-021: unbounded recursion inTrySkip()MESSAGEPACKCSHARP-OPEN-001: duplicate/open finding for the same root cause- CWE-674: Uncontrolled Recursion
CVE split rationale
This vulnerability is independently fixable in the skip traversal implementation. It should be tracked separately from formatter-specific missing depth checks, JSON conversion recursion, and non-recursion allocation bugs.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.301"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48506"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T18:46:24Z",
"nvd_published_at": "2026-06-22T22:16:47Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`MessagePackReader.TrySkip()` recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses `MessagePackSecurity.MaximumObjectGraphDepth`, the library\u0027s documented protection against deeply nested object graphs.\n\nMany generated and dynamic formatters call `reader.Skip()` when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable `StackOverflowException`.\n\n## Impact\n\nApplications that deserialize untrusted MessagePack payloads are affected when a formatter skips attacker-controlled values. This is a broad deserialization path and can be reached during normal object deserialization when an input includes an unknown member or extra value.\n\nThe attacker does not need to target a special resolver or compression mode. A payload containing many nested single-element arrays or maps in a skipped location can exhaust the process stack. Because `StackOverflowException` is not catchable in normal .NET execution, this terminates the host process and can deny service to other users of the same process.\n\n`MessagePackSecurity.UntrustedData` does not mitigate this issue because the skip path does not participate in depth accounting.\n\n## Affected components\n\n- Package: `MessagePack`\n- APIs: `MessagePackReader.Skip`, `MessagePackReader.TrySkip`, and formatter paths that skip unknown or ignored values\n- Finding IDs: `MESSAGEPACKCSHARP-021`, duplicate/open variant `MESSAGEPACKCSHARP-OPEN-001`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should either make skip traversal iterative or apply the existing depth accounting to arrays and maps encountered by `TrySkip()`. Any exceeded depth limit should result in a catchable serialization exception instead of process stack exhaustion.\n\n## Workarounds\n\nPatching is recommended.\n\nThere is no complete workaround for applications that deserialize untrusted MessagePack payloads with affected versions. Reducing accepted message sizes can raise the cost of exploitation but does not remove the recursive skip behavior. Strict schema validation outside MessagePack-CSharp may help only if it rejects unknown or skipped fields before the serializer sees them.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-021`: unbounded recursion in `TrySkip()`\n- `MESSAGEPACKCSHARP-OPEN-001`: duplicate/open finding for the same root cause\n- CWE-674: Uncontrolled Recursion\n\n## CVE split rationale\n\nThis vulnerability is independently fixable in the skip traversal implementation. It should be tracked separately from formatter-specific missing depth checks, JSON conversion recursion, and non-recursion allocation bugs.",
"id": "GHSA-vh6j-jc39-fggf",
"modified": "2026-06-25T18:46:24Z",
"published": "2026-06-25T18:46:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48506"
},
{
"type": "PACKAGE",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object graph depth"
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.