CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 28 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45783 | Hig | 0.42 | 7.5 | 0.00 | Jun 10, 2026 | libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all… | ||
| CVE-2026-10143 | Hig | 0.42 | 7.5 | 0.01 | Jun 10, 2026 | kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py,… | ||
| CVE-2026-46374 | Hig | 0.42 | 7.5 | 0.00 | Jun 9, 2026 | SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application… | ||
| CVE-2026-36724 | Med | 0.42 | 6.5 | 0.00 | Jun 9, 2026 | An uncaught exception in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0 allows authenticated attackers with the module_task:job:update permission to cause a Denial of Service (DoS) via manipulating the func field of scheduled tasks. | ||
| CVE-2026-49842 | Hig | 0.42 | 7.5 | 0.00 | Jun 9, 2026 | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test… | ||
| CVE-2026-45591 | Hig | 0.42 | 7.5 | 0.02 | Jun 9, 2026 | Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network. | ||
| CVE-2026-11611 | Med | 0.42 | 6.5 | 0.00 | Jun 8, 2026 | A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause… | ||
| CVE-2026-49235 | Hig | 0.42 | 7.5 | 0.00 | Jun 8, 2026 | When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes. | ||
| CVE-2026-50212 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service. | ||
| CVE-2026-36605 | Med | 0.42 | 6.5 | 0.00 | Jun 3, 2026 | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover. | ||
| CVE-2019-25724 | Med | 0.42 | 6.5 | 0.00 | Jun 2, 2026 | Dräger Infinity M300 patient worn monitors with software version VG2.x and earlier contain a network-based denial of service vulnerability that allows attackers with access to the hospital or Infinity Network to repeatedly trigger device reboots until the device enters a fail… | ||
| CVE-2019-25721 | Med | 0.42 | 6.5 | 0.00 | Jun 2, 2026 | Dräger Infinity M300 patient worn monitors with software version VG2.3.1 and earlier contain a network-based denial of service vulnerability that allows network-adjacent attackers to repeatedly trigger device reboots by sending malicious requests over the Infinity Network.… | ||
| CVE-2026-49361 | Hig | 0.42 | 7.5 | 0.01 | Jun 1, 2026 | Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame… | ||
| CVE-2026-48208 | Med | 0.42 | 6.5 | 0.00 | Jun 1, 2026 | An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets… | ||
| CVE-2026-33464 | Med | 0.42 | 6.5 | 0.00 | May 28, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process… | ||
| CVE-2026-45047 | Hig | 0.42 | 7.5 | 0.00 | May 27, 2026 | bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote… | ||
| CVE-2026-6052 | Med | 0.42 | 6.5 | 0.00 | May 27, 2026 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables. | ||
| CVE-2026-47077 | Hig | 0.42 | 7.5 | 0.01 | May 25, 2026 | Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on… | ||
| CVE-2026-47073 | Hig | 0.42 | 7.5 | 0.01 | May 25, 2026 | Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a… | ||
| CVE-2026-47071 | Hig | 0.42 | 7.5 | 0.01 | May 25, 2026 | Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form… |
- risk 0.42cvss 7.5epss 0.00
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all…
- risk 0.42cvss 7.5epss 0.01
kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py,…
- risk 0.42cvss 7.5epss 0.00
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application…
- risk 0.42cvss 6.5epss 0.00
An uncaught exception in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0 allows authenticated attackers with the module_task:job:update permission to cause a Denial of Service (DoS) via manipulating the func field of scheduled tasks.
- risk 0.42cvss 7.5epss 0.00
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test…
- risk 0.42cvss 7.5epss 0.02
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.00
A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause…
- risk 0.42cvss 7.5epss 0.00
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
- risk 0.42cvss 6.5epss 0.00
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service.
- risk 0.42cvss 6.5epss 0.00
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.
- risk 0.42cvss 6.5epss 0.00
Dräger Infinity M300 patient worn monitors with software version VG2.x and earlier contain a network-based denial of service vulnerability that allows attackers with access to the hospital or Infinity Network to repeatedly trigger device reboots until the device enters a fail…
- risk 0.42cvss 6.5epss 0.00
Dräger Infinity M300 patient worn monitors with software version VG2.3.1 and earlier contain a network-based denial of service vulnerability that allows network-adjacent attackers to repeatedly trigger device reboots by sending malicious requests over the Infinity Network.…
- risk 0.42cvss 7.5epss 0.01
Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame…
- risk 0.42cvss 6.5epss 0.00
An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets…
- risk 0.42cvss 6.5epss 0.00
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process…
- risk 0.42cvss 7.5epss 0.00
bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote…
- risk 0.42cvss 6.5epss 0.00
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables.
- risk 0.42cvss 7.5epss 0.01
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on…
- risk 0.42cvss 7.5epss 0.01
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a…
- risk 0.42cvss 7.5epss 0.01
Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form…