Description
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Potential Impact
Availability
DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification
Demonstrative Examples
In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.
Bad
int processMessagesFromServer(char *hostaddr, int port) {
...int servsock;int connected;struct sockaddr_in servaddr;
// create socket to connect to server
servsock = socket( AF_INET, SOCK_STREAM, 0);memset( &servaddr, 0, sizeof(servaddr));servaddr.sin_family = AF_INET;servaddr.sin_port = htons(port);servaddr.sin_addr.s_addr = inet_addr(hostaddr);
do {
// establish connection to server
connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr));
// if connected then read and process messages from server
if (connected > -1) {
// read and process messages
...
}
// keep trying to establish connection to the server
} while (connected < 0);
// close socket and return success or failure
...
}However, this will create an infinite loop if the server does not respond. This infinite loop will consume system resources and can be used to create a denial of service attack. To resolve this a counter should be used to limit the number of attempts to establish a connection to the server, as in the following code.
Good
int processMessagesFromServer(char *hostaddr, int port) {
...
// initialize number of attempts counter
int count = 0;do {
// establish connection to server
connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr));
// increment counter
count++;
// if connected then read and process messages from server
if (connected > -1) {
// read and process messages
...
}
// keep trying to establish connection to the server
// up to a maximum number of attempts
} while (connected < 0 && count < MAX_ATTEMPTS);
// close socket and return success or failure
...
}For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
Bad
public boolean isReorderNeeded(String bookISBN, int rateSold) {
boolean isReorder = false;
int minimumCount = 10;int days = 0;
// get inventory count for book
int inventoryCount = inventory.getIventoryCount(bookISBN);
// find number of days until inventory count reaches minimum
while (inventoryCount > minimumCount) {
inventoryCount = inventoryCount - rateSold;days++;
}
// if number of days within reorder timeframe
// set reorder return boolean to true
if (days > 0 && days < 5) {isReorder = true;}
return isReorder;
}However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop, as in the following code.
Good
public boolean isReorderNeeded(String bookISBN, int rateSold) {
...
// validate rateSold variable
if (rateSold < 1) {return isReorder;}
...
}Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2025-32399 | Chain: library for implementing Profinet devices does not check an input for a loop condition (CWE-606), allowing an infinite loop (CWE-835) via a crafted RPC packet |
| CVE-2022-22224 | Chain: an operating system does not properly process malformed Open Shortest Path First (OSPF) Type/Length/Value Identifiers (TLV) (CWE-703), which can cause the process to enter an infinite loop (CWE |
| CVE-2022-25304 | A Python machine communication platform did not account for receiving a malformed packet with a null size, causing the receiving function to never update the message buffer and be caught in an infinit |
| CVE-2011-1027 | Chain: off-by-one error (CWE-193) leads to infinite loop (CWE-835) using invalid hex-encoded characters. |
| CVE-2011-1142 | Chain: self-referential values in recursive definitions lead to infinite loop. |
| CVE-2011-1002 | NULL UDP packet is never cleared from a queue, leading to infinite loop. |
| CVE-2006-6499 | Chain: web browser crashes due to infinite loop - "bad looping logic [that relies on] floating point math [CWE-1339] to exit the loop [CWE-835]" |
| CVE-2010-4476 | Floating point conversion routine cycles back and forth between two different values. |
| CVE-2010-4645 | Floating point conversion routine cycles back and forth between two different values. |
| CVE-2010-2534 | Chain: improperly clearing a pointer in a linked list leads to infinite loop. |
| CVE-2013-1591 | Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full. |
| CVE-2008-3688 | Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server. |
Related Weaknesses
Taxonomy Mappings
- OMG ASCSM: ASCSM-CWE-835 —
Frequently Asked Questions
What is CWE-835?
CWE-835 (Loop with Unreachable Exit Condition ('Infinite Loop')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
How can CWE-835 be exploited?
Attackers can exploit CWE-835 (Loop with Unreachable Exit Condition ('Infinite Loop')) to dos: resource consumption (cpu), dos: resource consumption (memory), dos: amplification. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-835?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-835?
CWE-835 is classified as a Base-level weakness (Medium abstraction). It has been observed in 12 real-world CVEs.