Cyber Resilience

CWE · MITRE source

CWE-674Uncontrolled Recursion

Abstraction: Class · CVEs in our corpus: 447

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Last updated: 04 July 2026 08:17 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 3 mapping(s) from 2 framework(s): CAPEC 2 (partial) · ATT&CK 1 (mostly)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (2)AI

Control Title Family Why it addresses this CWE
CP-7Alternate Processing SiteCPSupports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.
SC-5Denial-of-service ProtectionSCPrevents uncontrolled recursion that exhausts stack or CPU resources.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2021-451058.05.91.00002021-12-18
CVE-2023-502698.08.60.57632023-12-14
CVE-2024-25111 UPD8.08.60.65252024-03-06
CVE-2018-10006187.09.80.01532018-07-09
CVE-2021-417527.09.80.01202022-04-05
CVE-2023-518037.09.80.00702024-04-01
CVE-2026-403247.09.10.00902026-04-18
CVE-2026-43185 UPD7.09.80.00622026-05-06
CVE-2007-12856.07.50.18162007-03-06
CVE-2017-85356.05.50.16832017-05-26
CVE-2017-85366.05.50.16832017-05-26
CVE-2017-85376.05.50.16832017-05-26
CVE-2018-07396.06.50.19302018-03-27
CVE-2021-426976.07.50.36142021-11-02
CVE-2007-34095.57.50.03492007-06-26
CVE-2016-36275.57.50.07032016-05-17
CVE-2017-58395.57.50.04482017-02-09
CVE-2017-93045.57.50.01842017-05-31
CVE-2017-94385.57.50.02572017-06-05
CVE-2017-97295.57.50.01082017-06-16
CVE-2017-97665.57.50.03822017-06-21
CVE-2017-111645.57.50.03102017-07-11
CVE-2017-115545.57.50.01882017-07-23
CVE-2017-115565.57.50.01202017-07-23
CVE-2017-129645.57.50.01842017-08-18