Monthly
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows an unauthenticated, remote attacker to send crafted network requests that drive a request-handling routine into an infinite loop (CWE-835), exhausting CPU and rendering the federation service unavailable. All supported Windows Server releases hosting the AD FS role are impacted, and because the flaw requires no authentication and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N/UI:N), it can knock out single sign-on for every relying-party application. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-priority availability issue rather than a confirmed active-exploitation event.
Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.
Denial of service in Microsoft Azure Active Directory (Entra ID) allows a remote unauthenticated attacker to send network traffic that drives affected processing into an infinite loop (CWE-835), exhausting resources and disrupting availability of the identity service. The flaw carries CVSS 7.5 with a high-availability impact, no confidentiality or integrity effect, and no public exploit identified at time of analysis. Microsoft has released a fix, which for this cloud-hosted service is applied server-side by the vendor.
Denial of service in Windows Active Directory (spanning Windows 10, Windows 11, and Windows Server 2012 through 2025) lets a remote, unauthenticated attacker send crafted network traffic that drives an AD service into an infinite loop, exhausting CPU and rendering domain services unavailable. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N with high availability impact and no confidentiality or integrity loss, this is a pure availability threat against domain controllers. Microsoft has released a patch; there is no public exploit identified at time of analysis and no CISA KEV listing.
Roundcube Webmail's TNEF (winmail.dat) decoder enters an infinite loop when processing a specially crafted TNEF attachment, causing denial of service for users on affected installations. Versions before 1.6.17 and 1.7.x before 1.7.2 are confirmed affected per the vendor advisory issued 2026-07-05. No public exploit code and no active exploitation (CISA KEV) have been identified; the CVSS vector confirms user interaction is required, limiting automatable mass exploitation.
Denial of service in Python Pillow 12.0.0 through 12.2.0 lets a remote attacker hang an application by supplying a crafted EPS image whose %%BeginBinary directive declares a negative byte count, causing the EPS parser to seek backwards and re-parse the same directive forever. Any service that calls Image.open() on attacker-supplied EPS data is affected until upgraded to 12.3.0. No public exploit identified at time of analysis, though the upstream fix PR includes a test reproducer; the flaw is not listed in CISA KEV.
GNU patch enters an infinite CPU-consuming loop when processing a specially crafted unified-diff file containing an excessively large hunk line offset, resulting in a denial of service. The utility becomes unresponsive and must be manually terminated, impacting any pipeline, CI/CD system, or developer workflow that applies untrusted patch files. No public exploit has been identified at time of analysis, and an upstream fix commit has been published by the maintainers on Savannah; a formally tagged release is not yet independently confirmed.
Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 lets a remote attacker crash or hang the application by feeding it crafted packets that trigger infinite loops in multiple protocol dissectors. No public exploit is identified at time of analysis, and the flaw is limited to availability - no code execution or data exposure. Real-world urgency is modest: EPSS sits at 0.12% and CISA SSVC rates exploitation as 'none' with only partial technical impact.
Denial of service in pypdf before 6.14.2 lets a remote attacker hang any application that parses an attacker-supplied PDF: a page content stream carrying an unterminated inline image with an ASCII85 or ASCIIHex filter drives the parser into an infinite loop (CWE-835), most notably during page text extraction. The pure-Python library is very widely used in document-processing and data-ingestion pipelines, so a single malicious file can pin a CPU core and stall the worker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the root cause is well-described and trivially reproducible.
Denial-of-service via infinite loop in protobuf.js (the pure-JavaScript Protocol Buffers implementation for Node.js/browsers) affects versions 8.0.0 through <8.6.6 and 7.5.0 through <7.6.5. When the parser reads an option declaration in a .proto schema it advances through tokens looking for '=' without checking for end-of-input, so a truncated schema (e.g. 'option foo') hangs parse(), Root.load, or Root.loadSync forever, pinning a CPU core and stalling the event loop. No public exploit is identified at time of analysis and it is not in CISA KEV; EPSS is low (0.33%, 25th percentile), matching the SSVC rating of exploitation 'none' but automatable.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows an unauthenticated, remote attacker to send crafted network requests that drive a request-handling routine into an infinite loop (CWE-835), exhausting CPU and rendering the federation service unavailable. All supported Windows Server releases hosting the AD FS role are impacted, and because the flaw requires no authentication and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N/UI:N), it can knock out single sign-on for every relying-party application. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-priority availability issue rather than a confirmed active-exploitation event.
Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.
Denial of service in Microsoft Azure Active Directory (Entra ID) allows a remote unauthenticated attacker to send network traffic that drives affected processing into an infinite loop (CWE-835), exhausting resources and disrupting availability of the identity service. The flaw carries CVSS 7.5 with a high-availability impact, no confidentiality or integrity effect, and no public exploit identified at time of analysis. Microsoft has released a fix, which for this cloud-hosted service is applied server-side by the vendor.
Denial of service in Windows Active Directory (spanning Windows 10, Windows 11, and Windows Server 2012 through 2025) lets a remote, unauthenticated attacker send crafted network traffic that drives an AD service into an infinite loop, exhausting CPU and rendering domain services unavailable. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N with high availability impact and no confidentiality or integrity loss, this is a pure availability threat against domain controllers. Microsoft has released a patch; there is no public exploit identified at time of analysis and no CISA KEV listing.
Roundcube Webmail's TNEF (winmail.dat) decoder enters an infinite loop when processing a specially crafted TNEF attachment, causing denial of service for users on affected installations. Versions before 1.6.17 and 1.7.x before 1.7.2 are confirmed affected per the vendor advisory issued 2026-07-05. No public exploit code and no active exploitation (CISA KEV) have been identified; the CVSS vector confirms user interaction is required, limiting automatable mass exploitation.
Denial of service in Python Pillow 12.0.0 through 12.2.0 lets a remote attacker hang an application by supplying a crafted EPS image whose %%BeginBinary directive declares a negative byte count, causing the EPS parser to seek backwards and re-parse the same directive forever. Any service that calls Image.open() on attacker-supplied EPS data is affected until upgraded to 12.3.0. No public exploit identified at time of analysis, though the upstream fix PR includes a test reproducer; the flaw is not listed in CISA KEV.
GNU patch enters an infinite CPU-consuming loop when processing a specially crafted unified-diff file containing an excessively large hunk line offset, resulting in a denial of service. The utility becomes unresponsive and must be manually terminated, impacting any pipeline, CI/CD system, or developer workflow that applies untrusted patch files. No public exploit has been identified at time of analysis, and an upstream fix commit has been published by the maintainers on Savannah; a formally tagged release is not yet independently confirmed.
Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 lets a remote attacker crash or hang the application by feeding it crafted packets that trigger infinite loops in multiple protocol dissectors. No public exploit is identified at time of analysis, and the flaw is limited to availability - no code execution or data exposure. Real-world urgency is modest: EPSS sits at 0.12% and CISA SSVC rates exploitation as 'none' with only partial technical impact.
Denial of service in pypdf before 6.14.2 lets a remote attacker hang any application that parses an attacker-supplied PDF: a page content stream carrying an unterminated inline image with an ASCII85 or ASCIIHex filter drives the parser into an infinite loop (CWE-835), most notably during page text extraction. The pure-Python library is very widely used in document-processing and data-ingestion pipelines, so a single malicious file can pin a CPU core and stall the worker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the root cause is well-described and trivially reproducible.
Denial-of-service via infinite loop in protobuf.js (the pure-JavaScript Protocol Buffers implementation for Node.js/browsers) affects versions 8.0.0 through <8.6.6 and 7.5.0 through <7.6.5. When the parser reads an option declaration in a .proto schema it advances through tokens looking for '=' without checking for end-of-input, so a truncated schema (e.g. 'option foo') hangs parse(), Root.load, or Root.loadSync forever, pinning a CPU core and stalling the event loop. No public exploit is identified at time of analysis and it is not in CISA KEV; EPSS is low (0.33%, 25th percentile), matching the SSVC rating of exploitation 'none' but automatable.