CWE-400
Uncontrolled Resource Consumption
ClassDraftLikelihood: High
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (465)
page 1 of 24| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61303 | Cri | 0.64 | 9.8 | 0.00 | Oct 20, 2025 | Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-of-analysis. The vulnerability is triggered when a sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results. | |
| CVE-2025-43193 | Cri | 0.64 | 9.8 | 0.00 | Jul 30, 2025 | The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to cause a denial-of-service. | |
| CVE-2025-24264 | Cri | 0.64 | 9.8 | 0.00 | Mar 31, 2025 | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing maliciously crafted web content may lead to an unexpected Safari crash. | |
| CVE-2025-24260 | Cri | 0.64 | 9.8 | 0.00 | Mar 31, 2025 | The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An attacker in a privileged position may be able to perform a denial-of-service. | |
| CVE-2025-24247 | Cri | 0.64 | 9.8 | 0.00 | Mar 31, 2025 | A type confusion issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An attacker may be able to cause unexpected app termination. | |
| CVE-2025-24211 | Cri | 0.64 | 9.8 | 0.00 | Mar 31, 2025 | This issue was addressed with improved memory handling. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory. | |
| CVE-2025-24190 | Cri | 0.64 | 9.8 | 0.00 | Mar 31, 2025 | The issue was addressed with improved memory handling. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory. | |
| CVE-2024-36543 | Cri | 0.64 | 9.8 | 0.00 | Jun 17, 2024 | Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API. | |
| CVE-2026-22542 | Cri | 0.60 | — | 0.00 | Jan 7, 2026 | An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections through the Telnet service. | |
| CVE-2026-22540 | Cri | 0.60 | — | 0.00 | Jan 7, 2026 | The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. | |
| CVE-2025-64388 | Cri | 0.60 | — | 0.00 | Oct 31, 2025 | Denial of service of the web server through specific requests to this protocol | |
| CVE-2025-58349 | Cri | 0.59 | 9.1 | 0.00 | Apr 6, 2026 | An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect handling of LTE MAC packets containing many MAC Control Elements (CEs) leads to baseband crashes. | |
| CVE-2024-45163 | Cri | 0.59 | 9.1 | 0.00 | Aug 22, 2024 | The Mirai botnet through 2024-08-19 mishandles simultaneous TCP connections to the CNC (command and control) server. Unauthenticated sessions remain open, causing resource consumption. For example, an attacker can send a recognized username (such as root), or can send arbitrary data. | |
| CVE-2023-53873 | Hig | 0.57 | — | 0.00 | Dec 15, 2025 | SyncBreeze 15.2.24 contains a denial of service vulnerability in the login authentication mechanism that allows attackers to crash the service. Attackers can send an oversized password parameter with repeated 'password=' values to overwhelm the login endpoint and potentially disrupt service availability. | |
| CVE-2024-58306 | Hig | 0.57 | — | 0.00 | Dec 11, 2025 | minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send crafted HTTP requests with excessive data to overwhelm the server and cause service interruption. | |
| CVE-2020-36872 | Hig | 0.57 | — | 0.00 | Nov 26, 2025 | BACnet Test Server versions up to and including 1.01 contains a remote denial of service vulnerability in its BACnet/IP BVLC packet handling. The server fails to properly validate the BVLC Length field in incoming UDP BVLC frames on the default BACnet port (47808/udp). A remote unauthenticated attacker can send a malformed BVLC Length value to trigger an access violation and crash the application, resulting in a denial of service. | |
| CVE-2021-4467 | Hig | 0.57 | — | 0.00 | Nov 14, 2025 | Positive Technologies MaxPatrol 8 and XSpider contain a remote denial-of-service vulnerability in the client communication service on TCP port 2002. The service generates a new session identifier for each incoming connection without adequately limiting concurrent requests. An unauthenticated remote attacker can repeatedly issue HTTPS requests to the service, causing excessive allocation of session identifiers. Under load, session identifier collisions may occur, forcing active client sessions to disconnect and resulting in service disruption. | |
| CVE-2021-4465 | Hig | 0.57 | — | 0.01 | Nov 14, 2025 | ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 contain a remote denial-of-service vulnerability. The device can be shut down or rebooted by an unauthenticated attacker through a single crafted HTTP GET request, allowing remote interruption of service availability. | |
| CVE-2023-7326 | Hig | 0.57 | — | 0.00 | Nov 12, 2025 | The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML. A remote attacker can send a malformed request that triggers improper input parsing or memory handling, resulting in the printer process shutting down or powering off, causing a denial of service condition. | |
| CVE-2025-41360 | Hig | 0.57 | — | 0.00 | Jun 6, 2025 | Uncontrolled resource consumption vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. The device is vulnerable to a packet flooding denial of service attack. |