CWE-407 (Inefficient Algorithmic Complexity) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-45664 | 2026-06-10 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possibl… |
| CVE-2026-41850 | 2026-06-09 | Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacke… |
| CVE-2026-11312 | 2026-06-05 | A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manip… |
| CVE-2026-8889 | 2026-06-03 | Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes). |
| CVE-2026-3276 | 2026-06-03 | unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This… |
| CVE-2026-42504 | 2026-06-02 | Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. |
| CVE-2026-8594 | 2026-05-30 | Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such … |
| CVE-2026-44378 | 2026-05-27 | Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such B… |
| CVE-2026-48959 | 2026-05-27 | IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against… |
| CVE-2026-44390 | 2026-05-20 | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses … |
| CVE-2026-42923 | 2026-05-20 | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit … |
| CVE-2026-41292 | 2026-05-20 | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too man… |
| CVE-2026-42304 | 2026-05-13 | Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhau… |
| CVE-2026-45186 | 2026-05-10 | In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. |
| CVE-2026-42245 | 2026-05-09 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when rea… |
| CVE-2026-43967 | 2026-05-08 | Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Docume… |
| CVE-2026-40476 | 2026-04-17 | graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response na… |
| CVE-2025-67841 | 2026-04-15 | Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue. |
| CVE-2026-40164 | 2026-04-14 | jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table ope… |
| CVE-2026-35599 | 2026-04-10 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it … |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Functional_Areas, Other_Notes |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Common_Consequences |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Applicable_Platforms, Likelihood_of_Exploit |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Observed_Examples, Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Likelihood_of_Exploit |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Name, Relationships, Type |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated References, Relationships |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated References |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Alternate_Terms, Observed_Examples, Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Demonstrative_Examples, Observed_Examples, References |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Weakness_Ordinalities |