CWE-834: Excessive Iteration

ClassIncomplete

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

View on MITRE
Back to CWE Lookup

Extended Description

If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the product or its host system; it depends on the amount of resources consumed per iteration.

Technical Details

Structure
Simple
Vulnerability Mapping
DISCOURAGED

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-834: Excessive Iteration?+

CWE-834: Excessive Iteration is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the product or its host system; it depends on the amount of resources consumed per iteration.

What are the security consequences of Excessive Iteration?+

If exploited, CWE-834 (Excessive Iteration) it can compromise Availability, leading to outcomes such as DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification and DoS: Crash, Exit, or Restart.

How is Excessive Iteration detected?+

CWE-834 can be detected using Dynamic Analysis with Manual Results Interpretation, Manual Static Analysis - Source Code, Automated Static Analysis - Source Code and Architecture or Design Review. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Excessive Iteration?+

CWE-834 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Excessive Iteration?+

MITRE documents real CVEs mapped to CWE-834, including CVE-2011-1027 and CVE-2006-6499. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-834 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More