Skip to main content

CWE-770

Allocation of Resources Without Limits or Throttling

1404 CVEs Avg CVSS 6.6 MITRE
23
CRITICAL
636
HIGH
706
MEDIUM
34
LOW
292
POC
1
KEV

Monthly

CVE-2026-54490 MEDIUM GHSA This Month

Resource limit bypass in the websocket-driver npm library (versions < 0.7.5) allows WebSocket messages to exceed the application's configured maximum message size when the permessage-deflate compression extension is active. The size enforcement is applied to compressed frame length headers rather than the decompressed payload, meaning a highly compressed message can appear within limits on the wire but expand arbitrarily upon decompression. Vendor-released patch is available in version 0.7.5; no public exploit has been identified at time of analysis.

Denial Of Service
NVD GitHub
CVE-2026-54464 MEDIUM GHSA This Month

Resource exhaustion in the websocket-driver Ruby gem (faye/websocket-driver-ruby) allows any WebSocket peer to bypass a configured maximum message size when the permessage-deflate compression extension is in use. The size limit is enforced against the compressed frame length rather than the post-decompression size, enabling a decompression-bomb style attack where a small compressed payload expands far beyond the intended ceiling. Applications on versions below 0.8.1 silently accept oversized payloads, potentially exhausting server memory or CPU and causing a denial-of-service condition. No public exploit exists at time of analysis, but the attack class is well understood and low-complexity to implement.

Denial Of Service
NVD GitHub
CVE-2026-62389 HIGH PATCH This Week

Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.

Denial Of Service Ws
NVD GitHub
CVSS 4.0
8.7
CVE-2026-59762 HIGH PATCH This Week

Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a remote unauthenticated attacker sends undisclosed crafted requests that drive Traffic Management Microkernel (TMM) memory consumption upward until TMM restarts. This is a data-plane-only issue with no control-plane exposure, and it also impacts the BIG-IP Next family (Kubernetes, SPK, CNF). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the vendor rates it CVSS 4.0 8.7 (High).

Denial Of Service Big Ip Big Ip Next For Kubernetes Big Ip Next Spk Big Ip Next Cnf
NVD
CVSS 4.0
8.7
CVE-2026-13585 HIGH This Week

Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; ASUS self-reported and issued an advisory.

Denial Of Service System Control Interface V3 System Control Interface Business Manager
NVD
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-24271 MEDIUM This Month

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause allocation of GPU resources without limits or throttling. A successful exploit of this vulnerability might lead to denial of service.

Nvidia Denial Of Service Tensorrt Llm
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-15711 HIGH This Week

Remote denial of service in libsoup, the GNOME HTTP client/server library, allows unauthenticated attackers to crash any application using libsoup's WebSocket support by sending a single malformed control frame. The parser fails to enforce RFC 6455's 125-byte limit on PING/PONG/CLOSE control frames and mishandles the oversized payload instead of cleanly closing the connection, causing an internal processing crash. Red Hat reports the flaw across RHEL 6 through 10; no public exploit has been identified at time of analysis and no EPSS score was provided.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-50651 HIGH PATCH Exploit Unlikely This Week

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-50648 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Net Framework 3 5 +8
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-50525 HIGH PATCH Exploit Unlikely This Week

Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a fix.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
7.5
EPSS
0.6%
MEDIUM This Month

Resource limit bypass in the websocket-driver npm library (versions < 0.7.5) allows WebSocket messages to exceed the application's configured maximum message size when the permessage-deflate compression extension is active. The size enforcement is applied to compressed frame length headers rather than the decompressed payload, meaning a highly compressed message can appear within limits on the wire but expand arbitrarily upon decompression. Vendor-released patch is available in version 0.7.5; no public exploit has been identified at time of analysis.

Denial Of Service
NVD GitHub
MEDIUM This Month

Resource exhaustion in the websocket-driver Ruby gem (faye/websocket-driver-ruby) allows any WebSocket peer to bypass a configured maximum message size when the permessage-deflate compression extension is in use. The size limit is enforced against the compressed frame length rather than the post-decompression size, enabling a decompression-bomb style attack where a small compressed payload expands far beyond the intended ceiling. Applications on versions below 0.8.1 silently accept oversized payloads, potentially exhausting server memory or CPU and causing a denial-of-service condition. No public exploit exists at time of analysis, but the attack class is well understood and low-complexity to implement.

Denial Of Service
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.

Denial Of Service Ws
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a remote unauthenticated attacker sends undisclosed crafted requests that drive Traffic Management Microkernel (TMM) memory consumption upward until TMM restarts. This is a data-plane-only issue with no control-plane exposure, and it also impacts the BIG-IP Next family (Kubernetes, SPK, CNF). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the vendor rates it CVSS 4.0 8.7 (High).

Denial Of Service Big Ip Big Ip Next For Kubernetes +2
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; ASUS self-reported and issued an advisory.

Denial Of Service System Control Interface V3 System Control Interface +1
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause allocation of GPU resources without limits or throttling. A successful exploit of this vulnerability might lead to denial of service.

Nvidia Denial Of Service Tensorrt Llm
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote denial of service in libsoup, the GNOME HTTP client/server library, allows unauthenticated attackers to crash any application using libsoup's WebSocket support by sending a single malformed control frame. The parser fails to enforce RFC 6455's 125-byte limit on PING/PONG/CLOSE control frames and mishandles the oversized payload instead of cleanly closing the connection, causing an internal processing crash. Red Hat reports the flaw across RHEL 6 through 10; no public exploit has been identified at time of analysis and no EPSS score was provided.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 +10
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a fix.

Denial Of Service Net 10 0 Net 8 0 +4
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy