Monthly
Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.
Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a remote unauthenticated attacker sends undisclosed crafted requests that drive Traffic Management Microkernel (TMM) memory consumption upward until TMM restarts. This is a data-plane-only issue with no control-plane exposure, and it also impacts the BIG-IP Next family (Kubernetes, SPK, CNF). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the vendor rates it CVSS 4.0 8.7 (High).
Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; ASUS self-reported and issued an advisory.
NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause allocation of GPU resources without limits or throttling. A successful exploit of this vulnerability might lead to denial of service.
Remote denial of service in libsoup, the GNOME HTTP client/server library, allows unauthenticated attackers to crash any application using libsoup's WebSocket support by sending a single malformed control frame. The parser fails to enforce RFC 6455's 125-byte limit on PING/PONG/CLOSE control frames and mishandles the oversized payload instead of cleanly closing the connection, causing an internal processing crash. Red Hat reports the flaw across RHEL 6 through 10; no public exploit has been identified at time of analysis and no EPSS score was provided.
Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a fix.
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allows a remote unauthenticated attacker to exhaust server resources over the network, causing availability loss. The flaw stems from missing limits or throttling on resource allocation (CWE-770), and Microsoft has released a patch via MSRC. There is no public exploit identified at time of analysis, and EPSS/KEV data were not supplied, so this appears to be a proactively patched issue rather than one under active exploitation.
Denial of service in the Windows HTTP/2 network stack allows a remote, unauthenticated attacker to exhaust server resources and render affected services unavailable across a broad range of Windows client and server releases (Windows 10/11 and Windows Server 2016 through 2025). Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.5 CVSS reflects high availability impact with no confidentiality or integrity loss.
Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.
Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a remote unauthenticated attacker sends undisclosed crafted requests that drive Traffic Management Microkernel (TMM) memory consumption upward until TMM restarts. This is a data-plane-only issue with no control-plane exposure, and it also impacts the BIG-IP Next family (Kubernetes, SPK, CNF). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the vendor rates it CVSS 4.0 8.7 (High).
Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; ASUS self-reported and issued an advisory.
NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause allocation of GPU resources without limits or throttling. A successful exploit of this vulnerability might lead to denial of service.
Remote denial of service in libsoup, the GNOME HTTP client/server library, allows unauthenticated attackers to crash any application using libsoup's WebSocket support by sending a single malformed control frame. The parser fails to enforce RFC 6455's 125-byte limit on PING/PONG/CLOSE control frames and mishandles the oversized payload instead of cleanly closing the connection, causing an internal processing crash. Red Hat reports the flaw across RHEL 6 through 10; no public exploit has been identified at time of analysis and no EPSS score was provided.
Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a fix.
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allows a remote unauthenticated attacker to exhaust server resources over the network, causing availability loss. The flaw stems from missing limits or throttling on resource allocation (CWE-770), and Microsoft has released a patch via MSRC. There is no public exploit identified at time of analysis, and EPSS/KEV data were not supplied, so this appears to be a proactively patched issue rather than one under active exploitation.
Denial of service in the Windows HTTP/2 network stack allows a remote, unauthenticated attacker to exhaust server resources and render affected services unavailable across a broad range of Windows client and server releases (Windows 10/11 and Windows Server 2016 through 2025). Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.5 CVSS reflects high availability impact with no confidentiality or integrity loss.