CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Infinite loop [CWE-835]

Infinite loop weakness describes a case when a loop cannot reach an exit condition.

Infinite Loop [CWE-835]

Created: September 11, 2012
Latest Update: January 10, 2019

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Mitigations
  6. References
  7. Latest Related Security Advisories

1. Description

This weakness describes a logic error within the application, which results in an endless loop. The weakness occurs where an application contains iteration or loop with exit conditions that cannot be reached.

The following example in C++ demonstrates the endless loop:

  1. // Infinite loop [CWE-835] vulnerable code example
  2. // (c) HTB Research
  3. #include "StdAfx.h"
  4. #include <stdio.h>
  5. int main(int argc, char **argv[]) {
  6.   int i = 0;
  7.   while (i < 10){
  8.     if(i == 5){
  9.       printf("i equals 5\n");
  10.     }
  11.     else {
  12.       i++;
  13.     }
  14.   }
  15.   return 0;
  16. }

The above example contains a logic error. If the condition "i==5" is true then the program outputs a string "i equals 5", otherwise it will increment "i" by 1. However, when "i" equals 5 it is true for any future iterations and this is where the infinite loop occurs.

2. Potential impact

An attacker can make the application consume all available CPU, memory resources or disk space, cause application hang or system crash.

3. Attack patterns

There are no attack patterns for this specific type of weakness.

4. Affected software

Any software that uses loops or iterations can contain logic errors that are subject to this weakness. There are no limitations based on programming language or platform.

5. Mitigations

There are no particular mitigations for the weakness. To reduce the possible impact, application should run with limited system resources, if possible. Avoid creating loops where number of iterations is based on user input, or introduce additional counters to exit such loops.

6. References

  1. CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') [cwe.mitre.org]
  2. Infinite loop [wikipedia.org]

7. Latest HTB Security Advisories with CWE-835


Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Quick Start
Technology
Products
Free Trial