logo

Excessive Iteration

Incomplete Class
Structure: Simple
Description

This vulnerability occurs when a program runs a loop too many times because it lacks proper limits on its iterations.

Extended Description

When an attacker can control or influence the loop's conditions, they can force it to run far more times than intended. This quickly drains system resources like CPU cycles and memory, potentially causing slowdowns, service denial, or crashes. Even a loop that isn't technically infinite can be dangerous if each pass consumes significant resources. For developers, the core issue is trusting unvalidated input to control loop counters or termination logic. To prevent this, always enforce explicit, reasonable upper bounds on all iterative processes, especially those influenced by external data like user input, file contents, or network responses.
Common Consequences 1
Scope: Availability

Impact: DoS: Resource Consumption (CPU)DoS: Resource Consumption (Memory)DoS: AmplificationDoS: Crash, Exit, or Restart

Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The product's operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to exhaustion of resources, such as an out-of-memory error.
Detection Methods 4
Dynamic Analysis with Manual Results InterpretationSOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Fuzz Tester Framework-based Fuzzer Forced Path Execution
Manual Static Analysis - Source CodeSOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)
Automated Static Analysis - Source CodeHigh
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Context-configured Source Code Weakness Analyzer
Architecture or Design ReviewHigh
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Demonstrative Examples 2

ID : DX-204

In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.

Code Example:

Bad
C

void do_something_recursive (int flg) {

c
Note that the only difference between the Good and Bad examples is that the recursion flag will change value and cause the recursive call to return.

Code Example:

Good
C

void do_something_recursive (int flg) {

c

ID : DX-205

For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.

Code Example:

Bad
Java
java

// get inventory count for book* int inventoryCount = inventory.getIventoryCount(bookISBN);

java
java
However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop, as in the following code.

Code Example:

Good
Java
java

// validate rateSold variable* if (rateSold < 1) { ``` return isReorder; } ... }

  
Observed Examples 2
CVE-2011-1027Chain: off-by-one error (Off-by-one Error) leads to infinite loop (Loop with Unreachable Exit Condition ('Infinite Loop')) using invalid hex-encoded characters.
CVE-2006-6499Chain: web browser crashes due to infinite loop - "bad looping logic [that relies on] floating point math [Insufficient Precision or Accuracy of a Real Number] to exit the loop [Loop with Unreachable Exit Condition ('Infinite Loop')]"
  
References 2
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, and Rama S. Moorthy
07-2014
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx(2025-09-05)
ID: REF-1479
 
  
                
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Insufficient Control Flow Management (CWE-691)