CWE-770— Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.— MITRE CWE catalog
1,933 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-770page 32 of 39
- CVE-2025-8885MEDIUMCVSS 6.3EG 6.32025-08-12
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerabil…
- CVE-2025-8916MEDIUMCVSS 6.3EG 6.32025-08-13
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle I…
- CVE-2025-9177HIGHCVSS 7.7EG 7.72025-10-14
A denial-of-service security issue exists in the affected product and version. The security issue stems from a high number of requests sent to the web server. This could result in a web server crash however; this does not impact I/O contro…
- CVE-2025-9368HIGHCVSS 8.7EG 8.72025-12-09
A security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service. A manual power cycle is required to recover the device.
- CVE-2025-9784HIGHCVSS 7.5EG 7.52025-09-02
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server…
- CVE-2026-0398MEDIUMCVSS 5.3EG 5.32026-02-09
Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.
- CVE-2026-0530MEDIUMCVSS 6.5EG 6.52026-01-13
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that contin…
- CVE-2026-0531MEDIUMCVSS 6.5EG 6.52026-01-13
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent t…
- CVE-2026-0543MEDIUMCVSS 6.5EG 6.52026-01-13
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access w…
- CVE-2026-0897HIGHCVSS 7.5EG 7.52026-01-15
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and…
- CVE-2026-10533MEDIUMCVSS 5.0EG 5.02026-06-01
A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace c…
- CVE-2026-10740MEDIUMCVSS 5.3EG 5.32026-06-10
Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate th…
- CVE-2026-1102MEDIUMCVSS 5.3EG 5.32026-01-22
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending re…
- CVE-2026-11586HIGHCVSS 7.5EG 7.52026-07-03
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential…
- CVE-2026-11946HIGHCVSS 7.5EG 7.52026-07-02
An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string…
- CVE-2026-11972HIGHCVSS 8.2EG 8.22026-06-23
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
- CVE-2026-12151HIGHCVSS 7.5EG 7.52026-06-17
Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continu…
- CVE-2026-1224MEDIUMCVSS 4.9EG 4.92026-01-26
Tanium addressed an uncontrolled resource consumption vulnerability in Discover.
- CVE-2026-12590MEDIUMCVSS 5.9EG 5.92026-07-09
Impact: In body-parser versions prior to 1.20.6 (1.x line) and 2.3.0 (2.x line), when the parser is configured with an invalid limit option value such as an unparseable string or NaN, bytes.parse returns null and the request body size chec…
- CVE-2026-12760MEDIUMCVSS 6.5EG 6.52026-06-24
A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets. An unauthenticated adjacent attacker can send crafted packets to cause …
- CVE-2026-12818CRITICALCVSS 9.3EG 9.32026-06-30
Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their Modbus TCP service.
- CVE-2026-13322LOWCVSS 3.8EG 3.82026-06-26
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read d…
- CVE-2026-13698HIGHCVSS 7.5EG 7.52026-07-06
A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service
- CVE-2026-1387MEDIUMCVSS 6.5EG 6.52026-02-11
GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file a…
- CVE-2026-1402MEDIUMCVSS 6.5EG 6.52026-05-27
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service …
- CVE-2026-14330MEDIUMCVSS 5.5EG 5.52026-07-01
Multiple unbounded alloca() calls in the PulseAudio protocol server.
- CVE-2026-14362MEDIUMCVSS 4.9EG 4.92026-07-08
HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the proc…
- CVE-2026-1456MEDIUMCVSS 6.5EG 6.52026-02-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially…
- CVE-2026-1458MEDIUMCVSS 6.5EG 6.52026-02-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service b…
- CVE-2026-1500MEDIUMCVSS 6.5EG 6.52026-06-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to cause denial of service…
- CVE-2026-1519HIGHCVSS 7.5EG 7.52026-03-25
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative…
- CVE-2026-1526HIGHCVSS 7.5EG 7.52026-03-12
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompres…
- CVE-2026-1659HIGHCVSS 7.5EG 7.52026-05-14
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially cr…
- CVE-2026-1660MEDIUMCVSS 6.5EG 6.52026-04-22
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to cause denial of service…
- CVE-2026-1718HIGHCVSS 7.5EG 7.12026-05-27
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service with a specially crafted query when autonomous transactions are enabled.
- CVE-2026-1837HIGHCVSS 7.5EG 7.52026-02-11
A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color …
- CVE-2026-1847MEDIUMCVSS 6.5EG 6.52026-02-10
Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.
- CVE-2026-1848HIGHCVSS 7.5EG 7.52026-02-10
Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy…
- CVE-2026-1850MEDIUMCVSS 6.5EG 6.52026-02-10
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
- CVE-2026-20103HIGHCVSS 8.6EG 8.62026-03-04
A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust dev…
- CVE-2026-20216HIGHCVSS 7.5EG 7.52026-07-01
A vulnerability in the InstallShield file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper handling of temporary resources duri…
- CVE-2026-20406MEDIUMCVSS 6.5EG 7.52026-02-02
In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed.…
- CVE-2026-20431MEDIUMCVSS 6.5EG 6.52026-04-07
In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User in…
- CVE-2026-20608MEDIUMCVSS 5.5EG 5.52026-02-11
This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to…
- CVE-2026-21388LOWCVSS 3.7EG 3.72026-04-09
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. M…
- CVE-2026-21434MEDIUMCVSS 5.3EG 5.32026-02-12
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an exce…
- CVE-2026-21696MEDIUMCVSS 6.5EG 6.52026-01-19
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log ent…
- CVE-2026-21710HIGHCVSS 7.5EG 7.52026-03-30
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Obj…
- CVE-2026-21728HIGHCVSS 7.5EG 7.52026-04-24
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 26…
- CVE-2026-22018LOWCVSS 3.7EG 3.72026-04-21
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.3…
Map vulnerabilities like CWE-770 to your infrastructure
EchelonGraph correlates every CVE — across CWE-770 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →