CWE-606— Unchecked Input for Loop Condition
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.— MITRE CWE catalog
31 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-606page 1 of 1
- CVE-2022-3252HIGHCVSS 7.5EG 7.52022-09-21
Improper detection of complete HTTP body decompression SwiftNIO Extras provides a pair of helpers for transparently decompressing received HTTP request or response bodies. These two objects (HTTPRequestDecompressor and HTTPResponseDecompre…
- CVE-2023-3446MEDIUMCVSS 5.3EG 5.32023-07-19
Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience lon…
- CVE-2023-3817MEDIUMCVSS 5.3EG 5.32023-07-31
Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience lon…
- CVE-2023-5678MEDIUMCVSS 5.3EG 7.52023-11-06
Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may expe…
- CVE-2023-6237MEDIUMCVSS 5.9EG 5.92024-04-25
Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is b…
- CVE-2024-13930MEDIUMCVSS 4.9EG 4.92025-05-22
An Unchecked Loop Condition in ASPECT provides an attacker the ability to maliciously consume system resources if session administrator credentials become compromised This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: thr…
- CVE-2024-13931HIGHCVSS 7.2EG 7.22025-05-22
Relative Path Traversal vulnerabilities in ASPECT allow access to file resources if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: …
- CVE-2024-34486HIGHCVSS 7.5EG 7.52024-05-05
OFPPacketQueue in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via OFPQueueProp.len=0.
- CVE-2024-43499HIGHCVSS 7.5EG 7.52024-11-12
.NET and Visual Studio Denial of Service Vulnerability
- CVE-2024-4603MEDIUMCVSS 5.3EG 5.32024-05-16
Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experi…
- CVE-2024-8508MEDIUMCVSS 5.3EG 5.32024-10-03
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbou…
- CVE-2025-32399MEDIUMCVSS 5.3EG 5.32025-05-07
An Unchecked Input for Loop Condition in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to cause IO devices that use the library to enter an infinite loop by sending a malicious RPC packet.
- CVE-2025-42930MEDIUMCVSS 6.5EG 6.52025-09-09
SAP Business Planning and Consolidation allows an authenticated standard user to call a function module by crafting specific parameters that causes a loop, consuming excessive resources and resulting in system unavailability. This leads to…
- CVE-2025-43801HIGHCVSS 7.5EG 7.52025-09-16
Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update …
- CVE-2025-65518HIGHCVSS 7.5EG 7.52026-01-08
Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected w…
- CVE-2026-0243MEDIUMCVSS 4.9EG 4.92026-05-13
A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to cause a system disruption by sending a specially crafted IPv…
- CVE-2026-10143HIGHCVSS 7.5EG 7.52026-06-10
kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration cou…
- CVE-2026-11972HIGHCVSS 8.2EG 8.22026-06-23
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
- CVE-2026-15172MEDIUMCVSS 5.5EG 5.52026-07-08
FMP/NOTIFY protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
- CVE-2026-1519HIGHCVSS 7.5EG 7.52026-03-25
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative…
- CVE-2026-23689HIGHCVSS 7.7EG 7.72026-02-10
Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-…
- CVE-2026-27145MEDIUMCVSS 6.5EG 6.52026-06-02
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN …
- CVE-2026-33800MEDIUMCVSS 6.5EG 6.52026-07-09
An Unchecked Input for Loop Condition vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).Micro-BFD session flaps gen…
- CVE-2026-33814HIGHCVSS 7.5EG 7.52026-05-07
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- CVE-2026-33891HIGHCVSS 7.5EG 7.52026-03-27
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteg…
- CVE-2026-39820HIGHCVSS 7.5EG 7.52026-05-07
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
- CVE-2026-41606MEDIUMCVSS 5.3EG 5.32026-04-28
Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
- CVE-2026-41986LOWCVSS 2.4EG 2.42026-06-09
Logic bypass vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect availability.
- CVE-2026-42561HIGHCVSS 7.5EG 7.52026-05-13
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limi…
- CVE-2026-44289HIGHCVSS 7.5EG 7.52026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and gen…
- CVE-2026-5950MEDIUMCVSS 5.3EG 5.32026-05-20
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry co…
Map vulnerabilities like CWE-606 to your infrastructure
EchelonGraph correlates every CVE — across CWE-606 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →