Skip to main content

CWE-674

Uncontrolled Recursion

337 CVEs Avg CVSS 6.6 MITRE
4
CRITICAL
153
HIGH
170
MEDIUM
10
LOW
105
POC
0
KEV

Monthly

CVE-2026-54451 HIGH POC PATCH GHSA This Week

Denial of service in the Elixir/Erlang Hex package protobuf (>= 0.8.0, < 0.16.1) allows an unauthenticated remote attacker to crash any service that decodes untrusted protobuf messages into a self-referential or cyclic message type. Because Protobuf.Decoder performs unbounded, non-tail recursion over embedded message fields, a small request body (a few KB to a few MB) can nest a field hundreds of thousands to millions of levels deep, forcing the BEAM to retain one stack/heap frame per level until it exhausts memory and pins a scheduler; a handful of concurrent requests take the node offline. This is a request-amplification DoS with a publicly available proof-of-concept, but no CISA KEV listing and no evidence of active exploitation; no CVSS or EPSS score is provided in the source data.

Google Denial Of Service
NVD GitHub
CVE-2026-40007 HIGH PATCH This Week

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.

Buffer Overflow Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-59927 PyPI MEDIUM PATCH This Month

Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.

Python Denial Of Service Mistune
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14803 MEDIUM PATCH This Month

Memory exhaustion via uncontrolled recursion in Mojo::JSON's pure-Perl decoder allows network-accessible callers to cause denial of service in Mojolicious applications. All versions before 9.47 are affected when the pure-Perl decode path is active - specifically when Cpanel::JSON::XS is absent or MOJO_NO_JSON_XS=1 is set. No public exploit has been identified and EPSS sits at 0.19% (8th percentile), but the attack is conceptually trivial given the published patch diff and OSS-Security advisory.

Denial Of Service Mojo
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-38970 HIGH This Week

Denial of service in pdfcpu (the Go PDF processing library and CLI) through v0.11.1 lets a remote attacker crash any application that parses attacker-supplied PDFs by submitting a document with deeply nested objects. The parser follows nested arrays recursively via ParseObjectContext() and parseArray() with no depth cap, so a crafted file exhausts the goroutine stack and aborts the process. No public exploit is identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with an availability-only bug rather than a code-execution risk.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-56148 MEDIUM This Month

Denial of service in Elasticsearch allows any authenticated user to crash an affected cluster node by submitting a specially crafted query that triggers uncontrolled recursion during query processing. Excessive resource consumption during request handling can render the targeted node unavailable, disrupting search and indexing operations for all dependent applications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the low privilege requirement makes it accessible to any user with query access.

Elastic Denial Of Service Elasticsearch
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-49451 NuGet HIGH PATCH GHSA This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE Privilege Escalation Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-57081 HIGH This Week

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.

Information Disclosure Net
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54888 MEDIUM PATCH This Month

Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.

Denial Of Service Mdex Mdex Native
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-13757 MEDIUM This Month

Stack exhaustion in p11-kit's RPC server crashes the daemon and any dependent cryptographic services on affected Red Hat systems. The vulnerability exists in the PKCS#11 RPC message parsing layer, where two attribute-handling functions form a mutually-recursive call chain with no depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes - allowing any local user or process with socket access to crash the server by sending a single crafted request. No public exploit or active exploitation has been identified at time of analysis, and impact is limited to availability (denial of service) with no confidentiality or integrity consequence.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +3
NVD VulDB GitHub
CVSS 3.1
6.2
EPSS
0.1%
HIGH POC PATCH This Week

Denial of service in the Elixir/Erlang Hex package protobuf (>= 0.8.0, < 0.16.1) allows an unauthenticated remote attacker to crash any service that decodes untrusted protobuf messages into a self-referential or cyclic message type. Because Protobuf.Decoder performs unbounded, non-tail recursion over embedded message fields, a small request body (a few KB to a few MB) can nest a field hundreds of thousands to millions of levels deep, forcing the BEAM to retain one stack/heap frame per level until it exhausts memory and pins a scheduler; a handful of concurrent requests take the node offline. This is a request-amplification DoS with a publicly available proof-of-concept, but no CISA KEV listing and no evidence of active exploitation; no CVSS or EPSS score is provided in the source data.

Google Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.

Buffer Overflow Apache Apache Iotdb
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory exhaustion via uncontrolled recursion in Mojo::JSON's pure-Perl decoder allows network-accessible callers to cause denial of service in Mojolicious applications. All versions before 9.47 are affected when the pure-Perl decode path is active - specifically when Cpanel::JSON::XS is absent or MOJO_NO_JSON_XS=1 is set. No public exploit has been identified and EPSS sits at 0.19% (8th percentile), but the attack is conceptually trivial given the published patch diff and OSS-Security advisory.

Denial Of Service Mojo
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in pdfcpu (the Go PDF processing library and CLI) through v0.11.1 lets a remote attacker crash any application that parses attacker-supplied PDFs by submitting a document with deeply nested objects. The parser follows nested arrays recursively via ParseObjectContext() and parseArray() with no depth cap, so a crafted file exhausts the goroutine stack and aborts the process. No public exploit is identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with an availability-only bug rather than a code-execution risk.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in Elasticsearch allows any authenticated user to crash an affected cluster node by submitting a specially crafted query that triggers uncontrolled recursion during query processing. Excessive resource consumption during request handling can render the targeted node unavailable, disrupting search and indexing operations for all dependent applications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the low privilege requirement makes it accessible to any user with query access.

Elastic Denial Of Service Elasticsearch
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.

Information Disclosure Net
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.

Denial Of Service Mdex Mdex Native
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM This Month

Stack exhaustion in p11-kit's RPC server crashes the daemon and any dependent cryptographic services on affected Red Hat systems. The vulnerability exists in the PKCS#11 RPC message parsing layer, where two attribute-handling functions form a mutually-recursive call chain with no depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes - allowing any local user or process with socket access to crash the server by sending a single crafted request. No public exploit or active exploitation has been identified at time of analysis, and impact is limited to availability (denial of service) with no confidentiality or integrity consequence.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +5
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy