Skip to main content

Mediawiki Growthexperiments Extension EUVDEUVD-2026-19978

| CVE-2026-39934 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-04-07 wikimedia-foundation GHSA-cgh3-rgf8-476j
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 22:16 euvd
EUVD-2026-19978
Analysis Generated
Apr 07, 2026 - 22:16 vuln.today
CVE Published
Apr 07, 2026 - 22:00 nvd
MEDIUM 6.9

DescriptionCVE.org

Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions.This issue affects Mediawiki - GrowthExperiments Extension: 1.45.2, 1.44.4, 1.43.7.

AnalysisAI

Infinite loop vulnerability in Wikimedia MediaWiki GrowthExperiments Extension (versions 1.45.2, 1.44.4, 1.43.7) allows unauthenticated remote attackers to trigger a denial of service condition by exploiting a Time-of-Check and Time-of-Use (TOCTOU) race condition that causes unreachable loop exit logic. The vulnerability has a CVSS score of 6.9 with low confidentiality, integrity, and availability impact across all scopes. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability (CWE-835: Loop with Unreachable Exit Condition) resides in the GrowthExperiments Extension for MediaWiki, a Wikimedia Foundation extension that facilitates new user onboarding and growth. The root cause involves a TOCTOU race condition where a condition checked at one point in code execution is no longer valid by the time the code attempts to use that condition to exit a loop. This timing window allows an attacker to modify state between the check and the actual use, causing the loop's exit condition to never be satisfied. The vulnerability is exposed via the network (AV:N) with low attack complexity (AC:L) and no authentication requirement (PR:N), making it remotely accessible. The CVSS 4.0 vector indicates low impact across confidentiality, integrity, and availability dimensions, typical of a resource exhaustion or denial of service issue rather than data breach or system compromise.

RemediationAI

Upgrade the MediaWiki GrowthExperiments Extension to a patched version released after 1.45.2, 1.44.4, or 1.43.7. The upstream fix is available in Gerrit commit 1243874 (https://gerrit.wikimedia.org/r/c/1243874) which addresses the TOCTOU race condition logic. Consult the Wikimedia Phabricator ticket T418222 (https://phabricator.wikimedia.org/T418222) for the specific patched version numbers and detailed deployment instructions. As an interim mitigation before patching, administrators may consider temporarily disabling the GrowthExperiments Extension if it is not essential to operations, or implementing rate-limiting and request throttling at the web server or load balancer level to reduce the likelihood of successful race condition exploitation. Monitor MediaWiki logs for unusual loop-related CPU spikes or request patterns that may indicate active exploitation attempts.

Share

EUVD-2026-19978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy