CWE-674 · Uncontrolled Recursion
445 CVEs classified under CWE-674 (Uncontrolled Recursion). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-43185 | Critical | 9.8 | 2026-05-06 | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negoti… |
CVE-2023-51803 | Critical | 9.8 | 2024-04-01 | LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring. |
CVE-2021-41752 | Critical | 9.8 | 2022-04-05 | Stack overflow vulnerability in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on Oct 20, 2021 due to an unbounded recursive call to the ne… |
CVE-2018-1000618 | Critical | 9.8 | 2018-07-09 | EOSIO/eos eos version after commit f1545dd0ae2b77580c2236fdb70ae7138d2c7168 contains a stack overflow vulnerability in abi_serializer that can result in attack… |
CVE-2026-40324 | Critical | 9.1 | 2026-04-18 | Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLP… |
CVE-2024-37973 | High | 8.8 | 2024-07-09 | Secure Boot Security Feature Bypass Vulnerability |
CVE-2019-9545 | High | 8.8 | 2019-03-01 | An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a… |
CVE-2019-9543 | High | 8.8 | 2019-03-01 | An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sendin… |
CVE-2019-9144 | High | 8.8 | 2019-02-25 | An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted f… |
CVE-2019-9143 | High | 8.8 | 2019-02-25 | An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafte… |
CVE-2025-5302 | High | 8.6 | 2025-08-25 | A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerabili… |
CVE-2024-20311 | High | 8.6 | 2024-03-27 | A vulnerability in the Locator ID Separation Protocol (LISP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote att… |
CVE-2024-25111 | High | 8.6 | 2024-03-06 | Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked dec… |
CVE-2023-50269 | High | 8.6 | 2023-12-14 | Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 th… |
CVE-2019-10761 | High | 8.3 | 2022-07-13 | This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the… |
CVE-2022-41966 | High | 8.2 | 2022-12-28 | XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow… |
CVE-2019-1003011 | High | 8.1 | 2019-02-06 | An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenma… |
CVE-2026-23066 | High | 7.8 | 2026-02-04 | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT… |
CVE-2025-38459 | High | 7.8 | 2025-07-25 | In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [… |
CVE-2025-1492 | High | 7.8 | 2025-02-20 | Bundle Protocol and CBOR dissector crashes in Wireshark 4.4.0 to 4.4.3 and 4.2.0 to 4.2.10 allows denial of service via packet injection or crafted capture file |