CWE-834: Excessive Iteration
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Last updated
Overview
If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the product or its host system; it depends on the amount of resources consumed per iteration.
Real-world CVEs
29 recorded CVEs are caused by CWE-834 (Excessive Iteration). The highest-severity and most recent are shown first. 6 new CWE-834 CVEs have been recorded so far in 2026 (6 in 2025).
- CVE-2026-45680
OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU
High · CVSS 7.5 · EPSS 24th2026-06-02 - CVE-2026-34043
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
High · CVSS 7.5 · EPSS 38th2026-03-31 - CVE-2025-67726
Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters
High · CVSS 7.5 · EPSS 30th2025-12-12 - CVE-2025-56571High · CVSS 7.5 · EPSS 33th2025-09-30
- CVE-2025-6714
Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections
High · CVSS 7.5 · EPSS 23th2025-07-07 - CVE-2024-4227High · CVSS 7.5 · EPSS 49th2025-01-15
- CVE-2023-5632
Unconditionally adding an event to the epoll causes excessive CPU consumption
High · CVSS 7.5 · EPSS 49th2023-10-18 - CVE-2023-26513High · CVSS 7.5 · EPSS 71th2023-03-20
- CVE-2022-3616High · CVSS 7.5 · EPSS 33th2022-10-28
- CVE-2021-39204High · CVSS 7.5 · EPSS 74th2021-09-09
- CVE-2021-32778High · CVSS 7.5 · EPSS 66th2021-08-24
- CVE-2021-35515High · CVSS 7.5 · EPSS 96th2021-07-13
Showing 12 of 29 recorded CWE-834 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-834 vulnerabilitiesCommon consequences
What can happen when CWE-834 is exploited.
DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification, DoS: Crash, Exit, or Restart
Affects: Availability
Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The product's operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to exhaustion of resources, such as an out-of-memory error.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Dynamic Analysis with Manual Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Manual Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Automated Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Architecture or Design Review
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
Vulnerable example
... // Do some real work here, but the value of flg is unmodifiedSafe example
... // Do some real work hereNote that the only difference between the Good and Bad examples is that the recursion flag will change value and cause the recursive call to return.
For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
Vulnerable example
public boolean isReorderNeeded(String bookISBN, int rateSold) {Safe example
public boolean isReorderNeeded(String bookISBN, int rateSold) {However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop, as in the following code.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2011-1027 — Chain: off-by-one error (CWE-193) leads to infinite loop (CWE-835) using invalid hex-encoded characters.
- CVE-2006-6499 — Chain: web browser crashes due to infinite loop - "bad looping logic [that relies on] floating point math [CWE-1339] to exit the loop [CWE-835]"
Frequently asked questions
Common questions about CWE-834.
- What is CWE-834?
- The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
- What CVEs are caused by CWE-834?
- 29 recorded CVEs are attributed to CWE-834, including CVE-2026-45680, CVE-2026-34043, CVE-2025-67726.
- How is CWE-834 detected?
- Dynamic Analysis with Manual Results Interpretation: According to SOAR [REF-1479], the following detection techniques may be useful:
- What are the consequences of CWE-834?
- Exploiting CWE-834 can lead to: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification, DoS: Crash, Exit, or Restart.
- Is CWE-834 actively exploited?
- 29 recorded CVEs are caused by CWE-834; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-834) (opens in a new tab)
- CWE-834 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-834
Get alerted the moment a new CWE-834 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.