VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 29 of 49
  • CVE-2026-10740MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2.

  • CVE-2026-41851MedJun 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0…

  • CVE-2026-50589MedJun 5, 2026
    risk 0.34cvss 5.3epss 0.00

    In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.

  • CVE-2026-44545MedJun 3, 2026
    risk 0.34cvss 5.3epss 0.00

    daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing…

  • CVE-2026-8486MedMay 20, 2026
    risk 0.34cvss 5.3epss 0.00

    Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

  • CVE-2026-43507MedMay 1, 2026
    risk 0.34cvss 5.3epss 0.00

    An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by XML parsing resource amplification from unauthenticated connections.

  • CVE-2026-33595MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.00

    A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.

  • CVE-2026-33594MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.00

    A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.

  • CVE-2026-33254MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.00

    An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.

  • CVE-2026-33260MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.01

    An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

  • CVE-2026-33258MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.01

    By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.

  • CVE-2026-33257MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.01

    An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

  • CVE-2026-33256MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.01

    An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

  • CVE-2026-5762MedApr 7, 2026
    risk 0.34cvss epss 0.00

    Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS. This issue was remediated only on the `master` branch.

  • CVE-2026-0398MedFeb 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.

  • CVE-2024-39724MedFeb 4, 2026
    risk 0.34cvss 5.3epss 0.00

    IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5.0), and 7.8 (on CP4D 5.1) do not properly limit the allocation of system resources. An authenticated user with internal knowledge of the environment could exploit this weakness to cause a denial of…

  • CVE-2025-15474MedJan 7, 2026
    risk 0.34cvss epss 0.00

    AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained connection attempts…

  • CVE-2025-14466MedDec 16, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability in the web interface of the Güralp Fortimus Series, Minimus Series and Certimus Series allows an unauthenticated attacker with network access to send specially-crafted HTTP requests that can cause the web service process to deliberately restart. Although this…

  • CVE-2025-62672MedOct 19, 2025
    risk 0.34cvss 5.3epss 0.01

    rplay through 3.3.2 allows attackers to cause a denial of service (SIGSEGV and daemon crash) or possibly have unspecified other impact. This occurs in memcpy in the RPLAY_DATA case in rplay_unpack in librplay/rplay.c, potentially reachable via packet data with no authentication.

  • CVE-2025-41704MedOct 14, 2025
    risk 0.34cvss 5.3epss 0.01

    An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality.