CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Infinite loop [CWE-835]

This weakness describes a case when a loop cannot reach an exit condition.

Created: September 11, 2012
Latest Update: August 6, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References
  8. Latest Related Security Advisories

1. Description

This weakness describes a logic error within the application, which results in an endless loop. The weakness occurs where an application contains iteration or loop with exit conditions that cannot be reached.

The following example in C++ demonstrates the endless loop:

  1. // Infinite loop [CWE-835] vulnerable code example
  2. // (c) HTB Research
  3. #include "StdAfx.h"
  4. #include <stdio.h>
  5. int main(int argc, char **argv[]) {
  6.   int i = 0;
  7.   while (i < 10){
  8.     if(i == 5){
  9.       printf("i equals 5\n");
  10.     }
  11.     else {
  12.       i++;
  13.     }
  14.   }
  15.   return 0;
  16. }

The above example contains a logic error. If the condition "i==5" is true then the program outputs a string "i equals 5", otherwise it will increment "i" by 1. However, when "i" equals 5 it is true for any future iterations and this is where the infinite loop occurs.

2. Potential impact

An attacker can make the application consume all available CPU, memory resources or disk space, cause application hang or system crash.

3. Attack patterns

There are no attack patterns for this specific type of weakness.

4. Affected software

Any software that uses loops or iterations can contain logic errors that are subject to this weakness. There are no limitations based on programming language or platform.

5. Severity and CVSS Scoring

Since the maximum impact can be denial of service, this weakness should be scored as A:P or A:C. When only one service is affected by this vulnerability and the service is accessible remotely, it should be scored as:
5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) – Medium severity.

In case when the entire system can be crashed, e.g. due to memory or disk space consumption, it should be scored as:
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) - High severity.


We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

6. Mitigations

There are no particular mitigations for the weakness. To reduce the possible impact, application should run with limited system resources, if possible. Avoid creating loops where number of iterations is based on user input, or introduce additional counters to exit such loops.

7. References

  1. CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') [cwe.mitre.org]
  2. Infinite loop [wikipedia.org]

8. Latest HTB Security Advisories with CWE-835


Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk