CWE-400
Uncontrolled Resource Consumption
ClassDraftLikelihood: High
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (669)
page 20 of 34| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-0049 | Med | 0.40 | 6.2 | 0.00 | Apr 6, 2026 | In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | |
| CVE-2025-60419 | Med | 0.40 | 6.2 | 0.00 | Oct 24, 2025 | An issue was discovered in the NDIS Usermode IO driver (RtkIOAC60.sys, version 6.0.5600.16348) allowing local authenticated attackers to send a crafted IOCTL request to the driver to cause a denial of service. | |
| CVE-2024-57708 | Med | 0.40 | 5.7 | 0.01 | Jun 25, 2025 | An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier who does not agree it is a prototype pollution vulnerability. | |
| CVE-2025-0426 | Med | 0.40 | 6.2 | 0.00 | Feb 13, 2025 | A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk. | |
| CVE-2024-8939 | Med | 0.40 | 6.2 | 0.00 | Sep 17, 2024 | A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service. | |
| CVE-2017-15529 | Med | 0.40 | 6.2 | 0.00 | Dec 13, 2017 | Prior to 4.4.1.10, the Norton Family Android App can be susceptible to a Denial of Service (DoS) exploit. A DoS attack is a type of attack whereby the perpetrator attempts to make a particular device unavailable to its intended user by temporarily or indefinitely disrupting services of a specific host within a network. | |
| CVE-2016-9039 | Med | 0.40 | 6.2 | 0.00 | Jan 31, 2017 | An exploitable denial of service exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES. An attacker can cause a buffer to be allocated and never freed. When repeatedly exploited this will result in memory exhaustion, resulting in a full system denial of service. | |
| CVE-2026-22003 | Med | 0.39 | 6.0 | 0.00 | Apr 21, 2026 | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H). | |
| CVE-2025-37139 | Med | 0.39 | 6.0 | 0.00 | Oct 14, 2025 | A vulnerability in an AOS firmware binary allows an authenticated malicious actor to permanently delete necessary boot information. Successful exploitation may render the system unbootable, resulting in a Denial of Service that can only be resolved by replacing the affected hardware. | |
| CVE-2025-48041 | Hig | 0.39 | — | 0.00 | Sep 11, 2025 | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. | |
| CVE-2025-43772 | Hig | 0.39 | — | 0.01 | Sep 4, 2025 | Kaleo Forms Admin in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 27, and older unsupported versions does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP request. | |
| CVE-2017-15596 | Med | 0.39 | 6.0 | 0.00 | Oct 18, 2017 | An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error. | |
| CVE-2017-9259 | Med | 0.39 | 5.5 | 0.04 | Jul 27, 2017 | The TDStretch::acceptNewOverlapLength function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote attackers to cause a denial of service (memory allocation error and application crash) via a crafted wav file. | |
| CVE-2017-9129 | Med | 0.39 | 5.5 | 0.01 | Jun 21, 2017 | The wav_open_read function in frontend/input.c in Freeware Advanced Audio Coder (FAAC) 1.28 allows remote attackers to cause a denial of service (large loop) via a crafted wav file. | |
| CVE-2016-6307 | Med | 0.39 | 5.9 | 0.13 | Sep 26, 2016 | The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c. | |
| CVE-2016-4037 | Med | 0.39 | 6.0 | 0.00 | May 23, 2016 | The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558. | |
| CVE-2009-3621 | Med | 0.39 | 5.5 | 0.00 | Oct 22, 2009 | net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. | |
| CVE-2026-32686 | Med | 0.38 | — | 0.00 | May 7, 2026 | Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0. | |
| CVE-2025-70071 | Med | 0.38 | 5.9 | 0.00 | May 4, 2026 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray() | |
| CVE-2026-33610 | Med | 0.38 | 5.9 | 0.00 | Apr 22, 2026 | A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it. |