Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2020-14040
Summary
The golang.org/x/text package versions before 0.3.3 for Go has a vulnerability in "encoding/unicode" that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with "UseBOM" or "ExpectBOM" to trigger an infinite loop if the "String" function when the "Decoder" is called, or the Decoder is passed to "golang.org/x/text/transform.String".
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-835 - Loop with Unreachable Exit Condition
Loops with multiple exits and flags detract from the quality of an application. They tend to make control structures difficult to understand, and introduce the risk of non-termination and other structural problems. The vulnerability “loop with unreachable exit condition” enables attackers to exploit this flaw, leading to denial of service.
References
Advisory Timeline
- Published