Skip to main content

Loop with Unreachable Exit Condition ('Infinite Loop')

CVE-2020-14040

Severity High
Score 7.5/10

Summary

The golang.org/x/text package versions before 0.3.3 for Go has a vulnerability in "encoding/unicode" that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with "UseBOM" or "ExpectBOM" to trigger an infinite loop if the "String" function when the "Decoder" is called, or the Decoder is passed to "golang.org/x/text/transform.String".

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-835 - Loop with Unreachable Exit Condition

Loops with multiple exits and flags detract from the quality of an application. They tend to make control structures difficult to understand, and introduce the risk of non-termination and other structural problems. The vulnerability “loop with unreachable exit condition” enables attackers to exploit this flaw, leading to denial of service.

Advisory Timeline

  • Published