Skip to main content

CWE-770

Allocation of Resources Without Limits or Throttling

1402 CVEs Avg CVSS 6.6 MITRE
23
CRITICAL
636
HIGH
704
MEDIUM
34
LOW
292
POC
1
KEV

Monthly

CVE-2026-62389 HIGH PATCH This Week

Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.

Denial Of Service Ws
NVD GitHub
CVSS 4.0
8.7
CVE-2026-59762 HIGH PATCH This Week

Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a remote unauthenticated attacker sends undisclosed crafted requests that drive Traffic Management Microkernel (TMM) memory consumption upward until TMM restarts. This is a data-plane-only issue with no control-plane exposure, and it also impacts the BIG-IP Next family (Kubernetes, SPK, CNF). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the vendor rates it CVSS 4.0 8.7 (High).

Denial Of Service Big Ip Big Ip Next For Kubernetes Big Ip Next Spk Big Ip Next Cnf
NVD
CVSS 4.0
8.7
CVE-2026-13585 HIGH This Week

Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; ASUS self-reported and issued an advisory.

Denial Of Service System Control Interface V3 System Control Interface Business Manager
NVD
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-24271 MEDIUM This Month

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause allocation of GPU resources without limits or throttling. A successful exploit of this vulnerability might lead to denial of service.

Nvidia Denial Of Service Tensorrt Llm
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-15711 HIGH This Week

Remote denial of service in libsoup, the GNOME HTTP client/server library, allows unauthenticated attackers to crash any application using libsoup's WebSocket support by sending a single malformed control frame. The parser fails to enforce RFC 6455's 125-byte limit on PING/PONG/CLOSE control frames and mishandles the oversized payload instead of cleanly closing the connection, causing an internal processing crash. Red Hat reports the flaw across RHEL 6 through 10; no public exploit has been identified at time of analysis and no EPSS score was provided.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-50651 HIGH PATCH Exploit Unlikely This Week

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-50648 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Net Framework 3 5 +8
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-50525 HIGH PATCH Exploit Unlikely This Week

Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a fix.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-47302 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allows a remote unauthenticated attacker to exhaust server resources over the network, causing availability loss. The flaw stems from missing limits or throttling on resource allocation (CWE-770), and Microsoft has released a patch via MSRC. There is no public exploit identified at time of analysis, and EPSS/KEV data were not supplied, so this appears to be a proactively patched issue rather than one under active exploitation.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Net Framework 3 5 +8
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-49788 HIGH PATCH Exploit Unlikely This Week

Denial of service in the Windows HTTP/2 network stack allows a remote, unauthenticated attacker to exhaust server resources and render affected services unavailable across a broad range of Windows client and server releases (Windows 10/11 and Windows Server 2016 through 2025). Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.5 CVSS reflects high availability impact with no confidentiality or integrity loss.

Denial Of Service Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +10
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVSS 8.7
HIGH PATCH This Week

Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.

Denial Of Service Ws
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a remote unauthenticated attacker sends undisclosed crafted requests that drive Traffic Management Microkernel (TMM) memory consumption upward until TMM restarts. This is a data-plane-only issue with no control-plane exposure, and it also impacts the BIG-IP Next family (Kubernetes, SPK, CNF). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the vendor rates it CVSS 4.0 8.7 (High).

Denial Of Service Big Ip Big Ip Next For Kubernetes +2
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; ASUS self-reported and issued an advisory.

Denial Of Service System Control Interface V3 System Control Interface +1
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause allocation of GPU resources without limits or throttling. A successful exploit of this vulnerability might lead to denial of service.

Nvidia Denial Of Service Tensorrt Llm
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote denial of service in libsoup, the GNOME HTTP client/server library, allows unauthenticated attackers to crash any application using libsoup's WebSocket support by sending a single malformed control frame. The parser fails to enforce RFC 6455's 125-byte limit on PING/PONG/CLOSE control frames and mishandles the oversized payload instead of cleanly closing the connection, causing an internal processing crash. Red Hat reports the flaw across RHEL 6 through 10; no public exploit has been identified at time of analysis and no EPSS score was provided.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 +10
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a fix.

Denial Of Service Net 10 0 Net 8 0 +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allows a remote unauthenticated attacker to exhaust server resources over the network, causing availability loss. The flaw stems from missing limits or throttling on resource allocation (CWE-770), and Microsoft has released a patch via MSRC. There is no public exploit identified at time of analysis, and EPSS/KEV data were not supplied, so this appears to be a proactively patched issue rather than one under active exploitation.

Denial Of Service Net 10 0 Net 8 0 +10
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in the Windows HTTP/2 network stack allows a remote, unauthenticated attacker to exhaust server resources and render affected services unavailable across a broad range of Windows client and server releases (Windows 10/11 and Windows Server 2016 through 2025). Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.5 CVSS reflects high availability impact with no confidentiality or integrity loss.

Denial Of Service Windows 10 Version 1607 Windows 10 Version 1809 +12
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy