CVE-2026-39934
Infinite Loop and TOCTOU Race in Mediawiki GrowthExperiments Extension
Publication date: 2026-04-07
Last updated on: 2026-04-08
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_wikimedia_foundation | mediawiki_growthexperiments_extension | 1.45.2 |
| the_wikimedia_foundation | mediawiki_growthexperiments_extension | 1.44.4 |
| the_wikimedia_foundation | mediawiki_growthexperiments_extension | 1.43.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an infinite loop issue caused by a loop with an unreachable exit condition in the Wikimedia Foundation Mediawiki - GrowthExperiments Extension. It involves leveraging Time-of-Check to Time-of-Use (TOCTOU) race conditions, which means that the state of a resource can change between the time it is checked and the time it is used, potentially leading to unexpected behavior.
How can this vulnerability impact me? :
The vulnerability can cause the affected Mediawiki GrowthExperiments Extension to enter an infinite loop, which may lead to denial of service by consuming excessive resources or making the application unresponsive.