CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1060 vulnerabilities reference this CWE, most recent first.
GHSA-9QFW-47FX-PXVC
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file due to lack of loop checking, as demonstrated by pdftohtml.
{
"affected": [],
"aliases": [
"CVE-2018-7453"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-24T06:29:00Z",
"severity": "MODERATE"
},
"details": "Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file due to lack of loop checking, as demonstrated by pdftohtml.",
"id": "GHSA-9qfw-47fx-pxvc",
"modified": "2022-05-13T01:53:23Z",
"published": "2022-05-13T01:53:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7453"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?p=814#p814"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QX2-HWJM-5MWW
Vulnerability from github – Published: 2025-08-14 18:31 – Updated: 2025-08-14 18:31A vulnerability in the management and VPN web servers of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition.
This vulnerability is due to improper validation of user-supplied input on an interface with VPN web services. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on an affected device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.
{
"affected": [],
"aliases": [
"CVE-2025-20243"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T17:15:38Z",
"severity": "HIGH"
},
"details": "A vulnerability in the management and VPN web servers of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition.\n\nThis vulnerability is due to improper validation of user-supplied input on an interface with VPN web services. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on an affected device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.",
"id": "GHSA-9qx2-hwjm-5mww",
"modified": "2025-08-14T18:31:29Z",
"published": "2025-08-14T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20243"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-dos-mfPekA6e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9RPF-MHCJ-GV7R
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-07-14 15:31libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
{
"affected": [],
"aliases": [
"CVE-2026-32777"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:19:44Z",
"severity": "MODERATE"
},
"details": "libexpat before 2.7.5 allows an infinite loop while parsing DTD content.",
"id": "GHSA-9rpf-mhcj-gv7r",
"modified": "2026-07-14T15:31:39Z",
"published": "2026-03-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32777"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/issues/1161"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/pull/1159"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/pull/1162"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://issues.oss-fuzz.com/issues/486993411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9RPJ-3FH9-94X5
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42Bad reference counting in the context of accept_ice_connection() in gsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92 allows a local attacker to establish ICE connections to gnome-session with invalid authentication data (an invalid magic cookie). Each failed authentication attempt will leak a file descriptor in gnome-session. When the maximum number of file descriptors is exhausted in the gnome-session process, it will enter an infinite loop trying to communicate without success, consuming 100% of the CPU. The graphical session associated with the gnome-session process will stop working correctly, because communication with gnome-session is no longer possible.
{
"affected": [],
"aliases": [
"CVE-2017-11171"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T20:29:00Z",
"severity": "MODERATE"
},
"details": "Bad reference counting in the context of accept_ice_connection() in gsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92 allows a local attacker to establish ICE connections to gnome-session with invalid authentication data (an invalid magic cookie). Each failed authentication attempt will leak a file descriptor in gnome-session. When the maximum number of file descriptors is exhausted in the gnome-session process, it will enter an infinite loop trying to communicate without success, consuming 100% of the CPU. The graphical session associated with the gnome-session process will stop working correctly, because communication with gnome-session is no longer possible.",
"id": "GHSA-9rpj-3fh9-94x5",
"modified": "2022-05-13T01:42:11Z",
"published": "2022-05-13T01:42:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11171"
},
{
"type": "WEB",
"url": "https://github.com/GNOME/gnome-session/commit/b0dc999e0b45355314616321dbb6cb71e729fc9d"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1025068"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9V76-4QCC-FRGH
Vulnerability from github – Published: 2026-05-18 19:10 – Updated: 2026-05-18 19:10Executive Summary:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/397
CVSS Details
- Version: 3.1
- Severity:
- Score: 7.5
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
- Weakness: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Affected Platforms
- Platforms: All
- Architectures: All
Affected Packages
The vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below
.NET 10
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.AspNetCore.App.Runtime.win-arm | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.win-x64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.win-x86 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-arm | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.osx-arm64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
| Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 10.0.0, <= 10.0.7 | 10.0.8 |
.NET 9
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.AspNetCore.App.Runtime.win-arm | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.win-x64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.win-x86 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-arm | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.osx-arm64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
| Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 9.0.0, <= 9.0.15 | 9.0.16 |
.NET 8
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.AspNetCore.App.Runtime.win-arm | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.win-x64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.win-x86 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-arm | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.osx-arm64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
| Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 8.0.0, <= 8.0.26 | 8.0.27 |
Advisory FAQ
How do I know if I am affected?
If using a package listed in affected packages, an application is exposed to the vulnerability.
How do I fix the issue?
- To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If developers have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt them to update Visual Studio, which will also update the application's .NET SDKs.
- If an application references the vulnerable package, update the package reference to the patched version. Developers can list the versions they have installed by running the
dotnet --infocommand.
Once developers have installed the updated runtime or SDK, they should restart their apps for the update to take effect.
Additionally, if developers have deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If a potential security issue has been found in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.
Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
Questions about this issue can be submitted to the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. Questions can be submitted through the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
Acknowledgements
hamayanhamayan Muhammad Abdul Rehman
Revisions
V1.0 (May 12, 2026): Advisory published.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x86"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-x64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-x64"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x86"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.win-x86"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-x64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.linux-x64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.15"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-x64"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.7"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.App.Runtime.osx-x64"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42899"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T19:10:59Z",
"nvd_published_at": "2026-05-12T18:17:26Z",
"severity": "HIGH"
},
"details": "## Executive Summary: \n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nLoop with unreachable exit condition (\u0027infinite loop\u0027) in ASP.NET Core allows an unauthorized attacker to deny service over a network.\n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/397\n\n## CVSS Details\n\n- **Version:** 3.1\n- **Severity:** \n- **Score:** 7.5\n- **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C \n- **Weakness:** CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\n\n## Affected Platforms\n\n- **Platforms:** All\n- **Architectures:** All\n\n## \u003ca name=\"affected-packages\"\u003e\u003c/a\u003eAffected Packages\nThe vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below\n\n### \u003ca name=\".NET 10\"\u003e\u003c/a\u003e.NET 10\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n\n### \u003ca name=\".NET 9\"\u003e\u003c/a\u003e.NET 9\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n\n\n### \u003ca name=\".NET 8\"\u003e\u003c/a\u003e.NET 8\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n\n## Advisory FAQ\n\n### \u003ca name=\"how-affected\"\u003e\u003c/a\u003eHow do I know if I am affected?\n\nIf using a package listed in [affected packages](#affected-packages), an application is exposed to the vulnerability.\n\n### \u003ca name=\"how-fix\"\u003e\u003c/a\u003eHow do I fix the issue?\n\n1. To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If developers have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt them to update Visual Studio, which will also update the application\u0027s .NET SDKs.\n2. If an application references the vulnerable package, update the package reference to the patched version. Developers can list the versions they have installed by running the `dotnet --info` command. \n\nOnce developers have installed the updated runtime or SDK, they should restart their apps for the update to take effect.\n\nAdditionally, if developers have deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf a potential security issue has been found in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue).\n\nSecurity reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.\n\n### Support\n\nQuestions about this issue can be submitted to the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. Questions can be submitted through the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2026-42899]( https://www.cve.org/CVERecord?id=CVE-2026-42899)\n\n### Acknowledgements\nhamayanhamayan\u202fMuhammad Abdul Rehman \n\n### Revisions\n\nV1.0 (May 12, 2026): Advisory published.",
"id": "GHSA-9v76-4qcc-frgh",
"modified": "2026-05-18T19:10:59Z",
"published": "2026-05-18T19:10:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dotnet/aspnetcore/security/advisories/GHSA-9v76-4qcc-frgh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42899"
},
{
"type": "WEB",
"url": "https://github.com/dotnet/announcements/issues/397"
},
{
"type": "PACKAGE",
"url": "https://github.com/dotnet/aspnetcore"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42899"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Microsoft Security Advisory CVE-2026-42899 \u2013 ASP.NET Core Denial of Service Vulnerability"
}
GHSA-9VJ4-WC7R-P844
Vulnerability from github – Published: 2026-01-21 01:05 – Updated: 2026-01-21 01:05Summary
Stack overflow via infinite recursion in MSL (Magick Scripting Language) <write> command when writing to MSL format.
Version
- ImageMagick 7.x (tested on current main branch)
- Commit: HEAD
- Requires: libxml2 support (for MSL parsing)
Steps to Reproduce
Method 1: Using ImageMagick directly
magick MSL:recursive.msl out.png
Method 2: Using OSS-Fuzz reproduce
python3 infra/helper.py build_fuzzers imagemagick
python3 infra/helper.py reproduce imagemagick msl_fuzzer recursive.msl
Or run the fuzzer directly:
./msl_fuzzer recursive.msl
Expected Behavior
ImageMagick should handle recursive MSL references gracefully by detecting the loop and returning an error.
Actual Behavior
Stack overflow causes process crash:
AddressSanitizer:DEADLYSIGNAL
==PID==ERROR: AddressSanitizer: stack-overflow
#0 MSLStartElement /src/imagemagick/coders/msl.c:7045
#1 xmlParseStartTag /src/libxml2/parser.c
#2 xmlParseChunk /src/libxml2/parser.c:11273
#3 ProcessMSLScript /src/imagemagick/coders/msl.c:7405
#4 WriteMSLImage /src/imagemagick/coders/msl.c:7867
#5 WriteImage /src/imagemagick/MagickCore/constitute.c:1346
#6 MSLStartElement /src/imagemagick/coders/msl.c:7045
... (infinite recursion, 287+ frames)
Root Cause Analysis
In coders/msl.c, the <write> command handler in MSLStartElement() (line ~7045) calls WriteImage(). When the output filename specifies MSL format (msl:filename), WriteMSLImage() is called, which parses the MSL file again via ProcessMSLScript().
If the MSL file references itself (directly or indirectly), this creates an infinite recursion loop:
MSLStartElement() → WriteImage() → WriteMSLImage() → ProcessMSLScript()
→ xmlParseChunk() → MSLStartElement() → ... (infinite loop)
Impact
- DoS: Guaranteed crash via stack exhaustion
- Affected: Any application using ImageMagick to process user-supplied MSL files
Additional Trigger Paths
The <read> command can also trigger recursion:
Indirect recursion is also possible (a.msl → b.msl → a.msl).
Fuzzer
This issue was discovered using a custom MSL fuzzer:
#include <cstdint>
#include <Magick++/Blob.h>
#include <Magick++/Image.h>
#include "utils.cc"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
if (IsInvalidSize(Size))
return(0);
try
{
const Magick::Blob blob(Data, Size);
Magick::Image image;
image.magick("MSL");
image.fileName("MSL:");
image.read(blob);
}
catch (Magick::Exception)
{
}
return(0);
}
This issue was found by Team FuzzingBrain @ Texas A&M University
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23874"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T01:05:23Z",
"nvd_published_at": "2026-01-20T01:15:57Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nStack overflow via infinite recursion in MSL (Magick Scripting Language) `\u003cwrite\u003e` command when writing to MSL format.\n\n## Version\n\n- ImageMagick 7.x (tested on current main branch)\n- Commit: HEAD\n- Requires: libxml2 support (for MSL parsing)\n\n## Steps to Reproduce\n\n### Method 1: Using ImageMagick directly\n\n```bash\nmagick MSL:recursive.msl out.png\n```\n\n### Method 2: Using OSS-Fuzz reproduce\n\n```bash\npython3 infra/helper.py build_fuzzers imagemagick\npython3 infra/helper.py reproduce imagemagick msl_fuzzer recursive.msl\n```\n\nOr run the fuzzer directly:\n```bash\n./msl_fuzzer recursive.msl\n```\n\n## Expected Behavior\n\nImageMagick should handle recursive MSL references gracefully by detecting the loop and returning an error.\n\n## Actual Behavior\n\nStack overflow causes process crash:\n\n```\nAddressSanitizer:DEADLYSIGNAL\n==PID==ERROR: AddressSanitizer: stack-overflow\n #0 MSLStartElement /src/imagemagick/coders/msl.c:7045\n #1 xmlParseStartTag /src/libxml2/parser.c\n #2 xmlParseChunk /src/libxml2/parser.c:11273\n #3 ProcessMSLScript /src/imagemagick/coders/msl.c:7405\n #4 WriteMSLImage /src/imagemagick/coders/msl.c:7867\n #5 WriteImage /src/imagemagick/MagickCore/constitute.c:1346\n #6 MSLStartElement /src/imagemagick/coders/msl.c:7045\n ... (infinite recursion, 287+ frames)\n```\n\n## Root Cause Analysis\n\nIn `coders/msl.c`, the `\u003cwrite\u003e` command handler in `MSLStartElement()` (line ~7045) calls `WriteImage()`. When the output filename specifies MSL format (`msl:filename`), `WriteMSLImage()` is called, which parses the MSL file again via `ProcessMSLScript()`.\n\nIf the MSL file references itself (directly or indirectly), this creates an infinite recursion loop:\n\n```\nMSLStartElement() \u2192 WriteImage() \u2192 WriteMSLImage() \u2192 ProcessMSLScript()\n \u2192 xmlParseChunk() \u2192 MSLStartElement() \u2192 ... (infinite loop)\n```\n\n## Impact\n\n- **DoS**: Guaranteed crash via stack exhaustion\n- **Affected**: Any application using ImageMagick to process user-supplied MSL files\n\n## Additional Trigger Paths\n\nThe `\u003cread\u003e` command can also trigger recursion:\n\nIndirect recursion is also possible (a.msl \u2192 b.msl \u2192 a.msl).\n\n## Fuzzer\n\nThis issue was discovered using a custom MSL fuzzer:\n\n```cpp\n#include \u003ccstdint\u003e\n#include \u003cMagick++/Blob.h\u003e\n#include \u003cMagick++/Image.h\u003e\n#include \"utils.cc\"\n\nextern \"C\" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)\n{\n if (IsInvalidSize(Size))\n return(0);\n try\n {\n const Magick::Blob blob(Data, Size);\n Magick::Image image;\n image.magick(\"MSL\");\n image.fileName(\"MSL:\");\n image.read(blob);\n }\n catch (Magick::Exception)\n {\n }\n return(0);\n}\n```\n\nThis issue was found by Team FuzzingBrain @ Texas A\u0026M University",
"id": "GHSA-9vj4-wc7r-p844",
"modified": "2026-01-21T01:05:23Z",
"published": "2026-01-21T01:05:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23874"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick MSL: Stack overflow via infinite recursion in ProcessMSLScript"
}
GHSA-9W8R-397F-PRFH
Vulnerability from github – Published: 2021-04-20 16:35 – Updated: 2024-10-14 16:12An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Pygments"
},
"ranges": [
{
"events": [
{
"introduced": "1.5"
},
{
"fixed": "2.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-20270"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-12T20:58:03Z",
"nvd_published_at": "2021-03-23T17:15:00Z",
"severity": "HIGH"
},
"details": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword.",
"id": "GHSA-9w8r-397f-prfh",
"modified": "2024-10-14T16:12:14Z",
"published": "2021-04-20T16:35:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20270"
},
{
"type": "WEB",
"url": "https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136"
},
{
"type": "PACKAGE",
"url": "https://github.com/pygments/pygments"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pygments/PYSEC-2021-140.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4889"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Infinite Loop in Pygments"
}
GHSA-9WJ4-8H85-PGRW
Vulnerability from github – Published: 2025-06-10 20:14 – Updated: 2025-06-10 20:14Impact
OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.
Patches
The vulnerability has been patched in version 1.11.2.
Workaround
OctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not.
Details
The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server.
The fix adds detection of invalid requests like that and ensures they are handled gracefully with an HTTP 400 Bad Request response.
Credits
This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "OctoPrint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48879"
],
"database_specific": {
"cwe_ids": [
"CWE-140",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-10T20:14:43Z",
"nvd_published_at": "2025-06-10T16:15:41Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken `multipart/form-data` request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.\n\n### Patches\n\nThe vulnerability has been patched in version 1.11.2.\n\n### Workaround\n\nOctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not.\n\n### Details\n\nThe issue can be triggered by a broken `multipart/form-data` request lacking an end boundary to any of OctoPrint\u0027s endpoints implemented through the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server.\n\nThe fix adds detection of invalid requests like that and ensures they are handled gracefully with an HTTP 400 Bad Request response.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.",
"id": "GHSA-9wj4-8h85-pgrw",
"modified": "2025-06-10T20:14:44Z",
"published": "2025-06-10T20:14:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48879"
},
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec"
},
{
"type": "PACKAGE",
"url": "https://github.com/OctoPrint/OctoPrint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint"
}
GHSA-9WM5-V79H-43G8
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:46find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.
{
"affected": [],
"aliases": [
"CVE-2017-15024"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-05T01:29:00Z",
"severity": "MODERATE"
},
"details": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"id": "GHSA-9wm5-v79h-43g8",
"modified": "2025-04-20T03:46:20Z",
"published": "2022-05-13T01:43:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15024"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/10/03/binutils-infinite-loop-in-find_abstract_instance_name-dwarf2-c"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22187"
},
{
"type": "WEB",
"url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=52a93b95ec0771c97e26f0bb28630a271a667bd2"
},
{
"type": "WEB",
"url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52a93b95ec0771c97e26f0bb28630a271a667bd2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9WWR-2JH3-482P
Vulnerability from github – Published: 2026-02-18 18:30 – Updated: 2026-06-02 15:31In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths
The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with "bad smb2 signature" messages and high CPU usage.
This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.
{
"affected": [],
"aliases": [
"CVE-2026-23220"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-18T16:22:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths\n\nThe problem occurs when a signed request fails smb2 signature verification\ncheck. In __process_request(), if check_sign_req() returns an error,\nset_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.\nset_smb2_rsp_status() set work-\u003enext_smb2_rcv_hdr_off as zero. By resetting\nnext_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain\nis lost. Consequently, is_chained_smb2_message() continues to point to\nthe same request header instead of advancing. If the header\u0027s NextCommand\nfield is non-zero, the function returns true, causing __handle_ksmbd_work()\nto repeatedly process the same failed request in an infinite loop.\nThis results in the kernel log being flooded with \"bad smb2 signature\"\nmessages and high CPU usage.\n\nThis patch fixes the issue by changing the return value from\nSERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that\nthe processing loop terminates immediately rather than attempting to\ncontinue from an invalidated offset.",
"id": "GHSA-9wwr-2jh3-482p",
"modified": "2026-06-02T15:31:53Z",
"published": "2026-02-18T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23220"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/010eb01ce23b34b50531448b0da391c7f05a72af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/544adb0a6658ea1bff4064723761dbf05f95b1e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/71b5e7c528315ca360a1825a4ad2f8ae48c5dc16"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9135e791ec2709bcf0cda0335535c74762489498"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7b1c2f5642bbd60b1beef1f3298cbac81eb232c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb3b66bd72deb5543addaefa67963b34fb163a7b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.