Denial of Service
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.
How It Works
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.
The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.
Impact
- Service unavailability preventing legitimate users from accessing applications during attack duration
- Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
- Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
- SLA violations triggering financial penalties and damaging customer trust
- Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently
Real-World Examples
CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.
Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.
CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.
Mitigation
- Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
- Request rate limiting per IP address, API key, or user session with exponential backoff
- Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
- Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
- Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
- Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
- Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion
Recent CVEs (5561)
Seroval versions 1.4.0 and below allow remote attackers to cause denial of service through maliciously crafted RegExp patterns during deserialization, either by exhausting memory with oversized patterns or triggering catastrophic backtracking (ReDoS). The vulnerability requires no authentication or user interaction and affects any application using the library to deserialize untrusted serialized data. A patch is available in version 1.4.1.
ImageMagick and Magick.NET versions 14.10.1 and below are vulnerable to denial of service attacks through a null pointer dereference in the MSL parser when processing malformed comment tags, exploitable by authenticated attackers without user interaction. Public exploit code exists for this vulnerability, and affected systems may crash or experience assertion failures depending on build configuration. No patch is currently available to address this medium-severity issue.
SumatraPDF on Windows is vulnerable to a denial-of-service attack through a maliciously crafted Mobi file that triggers an integer underflow in record validation, causing an out-of-bounds heap read and application crash. The vulnerability stems from an off-by-one error in the PalmDbReader::GetRecord function that only occurs with exactly 2 records, and public exploit code is available. No patch has been released at this time.
Fleet device management software versions prior to 4.78.3 suffer from broken access control that permits any authenticated user, including low-privilege observers, to access debug and profiling endpoints. Attackers can leverage this vulnerability to extract sensitive server diagnostics, runtime profiling data, and application state, or trigger CPU-intensive operations resulting in denial of service. The vulnerability affects multiple Fleet versions and has patches available.
ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service.
ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under speci...
Libocpp versions up to 0.30.1 is affected by allocation of resources without limits or throttling (CVSS 4.7).
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. [CVSS 6.5 MEDIUM]
EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. [CVSS 7.4 HIGH]
EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermeter SLIP parser reads `vec[vec.size()-1]` and `vec[vec.size()-2]` without checking that at least two bytes are present. [CVSS 4.6 MEDIUM]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
GeoGebra Graphing Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer. [CVSS 7.5 HIGH]
GeoGebra Classic 5.0.631.0-d contains a denial of service vulnerability in the input field that allows attackers to crash the application by sending oversized buffer content. [CVSS 7.5 HIGH]
GeoGebra CAS Calculator 6.0.631.0 has a denial of service vulnerability that crashes the application through uncontrolled resource consumption triggered by crafted mathematical expressions.
ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access. [CVSS 7.5 HIGH]
Improper file permissions in Cisco Intersight Virtual Appliance's maintenance shell allow authenticated administrators to escalate privileges to root and gain full control of the system. An attacker with local administrative access can manipulate configuration files to bypass intended privilege restrictions, potentially compromising sensitive data and workload configurations. No patch is currently available for this vulnerability.
SSH service disruption in Cisco IEC6400 Wireless Backhaul Edge Compute Software allows unauthenticated remote attackers to trigger denial of service through connection flooding due to missing rate limiting protections. An attacker can render the SSH service unresponsive by launching a DoS attack against the SSH port, though other device operations remain functional during the attack. No patch is currently available.
Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_727F4 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_72290 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the time parameter of the sub_60CFC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetWifiMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
A null pointer dereference in the Linux kernel's socket error queue handling causes a denial of service when CONFIG_HARDENED_USERCOPY is enabled and applications attempt to retrieve error messages via recvmsg(). Local attackers with user privileges can trigger a kernel panic by reading from the socket error queue on affected systems running vulnerable kernel versions.
A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. [CVSS 3.7 LOW]
M-Files Server before version 26.1.15632.3 can be crashed by authenticated administrators with vault privileges through an unsafe API endpoint, resulting in service disruption. This denial-of-service vulnerability requires high-level privileges and network access, making it a limited-scope threat to organizations running vulnerable versions. No patch is currently available.
Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 8.1).
Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 7.1).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 4.6 MEDIUM]
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. [CVSS 4.5 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 6.5).
Hospitality Opera 5 versions up to 5.6.19.23 contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle Hospitalit (CVSS 8.6).
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a partial denial of service (partial DOS) of MySQL (CVSS 2.7).
Mysql contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Remote denial of service in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated attackers to trigger application hangs or crashes via network-accessible protocols. Multiple Java versions including JDK 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1 are affected through a flaw in the Security component. No patch is currently available for this high-severity vulnerability.
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. [CVSS 5.0 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Mysql Cluster contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 5.3).
Siebel Customer Relationship Management Deployment contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 7.5).
Node.js TLS servers using PSK or ALPN callbacks are vulnerable to denial of service when these callbacks throw unhandled synchronous exceptions during the TLS handshake. Remote attackers can exploit this by sending specially crafted TLS handshake requests to trigger resource exhaustion or process crashes, either through immediate termination or silent file descriptor leaks. No patch is currently available for this vulnerability.
A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. [CVSS 7.5 HIGH]
A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. [CVSS 7.5 HIGH]
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. [CVSS 7.5 HIGH]
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. [CVSS 7.5 HIGH]
NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). [CVSS 7.5 HIGH]
NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. [CVSS 7.5 HIGH]
NVIDIA Nsight Systems for Windows contains a vulnerability in the application’s DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. [CVSS 6.7 MEDIUM]
NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. [CVSS 7.3 HIGH]
NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. [CVSS 7.3 HIGH]
NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. [CVSS 7.3 HIGH]
In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. [CVSS 7.5 HIGH]
Multiple denial-of-service vulnerabilities exist in the affected product. These issues can be triggered through various crafted inputs, including malformed Class 3 messages, memory leak conditions, and other resource exhaustion scenarios.
affected product. The security issue occurs when a malformed CIP forward open message is sent. This contains a vulnerability that allows attackers to a major nonrecoverable fault a restart is required to recover.
dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. [CVSS 5.5 MEDIUM]
Swift W3C TraceContext and Swift OTel improperly validate malformed HTTP headers, enabling remote attackers to crash affected services through denial-of-service attacks. This vulnerability affects applications using these libraries for distributed tracing and telemetry, particularly HTTP servers processing untrusted network input. No patch is currently available, though versions 1.0.0-beta.5 of Swift W3C TraceContext and 1.0.4 of Swift OTel are expected to address the issue.
Mytube versions up to 1.7.71 contains a vulnerability that allows attackers to bypass IP-based rate limiting on general API endpoints (CVSS 6.5).
Birkir Prime versions up to 0.4.0.beta.0 are vulnerable to resource exhaustion attacks through the GraphQL Alias Handler endpoint, allowing unauthenticated remote attackers to cause denial of service. Public exploit code is available for this vulnerability, and the project has not yet released a patch despite early notification. The attack requires no user interaction and can be executed over the network with minimal complexity.
Prime versions up to 0.4.0.beta.0 are vulnerable to denial of service attacks through the GraphQL Array Based Query Batch Handler component, which can be exploited remotely without authentication. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. [CVSS 6.5 MEDIUM]
ChatterBot versions through 1.2.10 suffer from denial-of-service vulnerabilities due to improper connection pool management that allows attackers to exhaust database connections through concurrent requests to the get_response() method, causing persistent service unavailability. Public exploit code exists for this vulnerability, which affects all deployments of the affected ChatterBot versions and requires manual service restart to recover. ChatterBot 1.2.11 addresses this issue.
Birkir Prime versions up to 0.4.0.beta.0 contain a denial of service vulnerability in the GraphQL Directive Handler that can be exploited remotely without authentication. Public exploit code exists for this vulnerability, and the developers have not released a patch despite early notification. An unauthenticated attacker can leverage this flaw to disrupt service availability.
Remote denial of service in birkir Prime up to version 0.4.0.beta.0 can be triggered through the GraphQL Field Handler endpoint without authentication. Public exploit code exists for this vulnerability, though no patch is currently available from the project maintainers.
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. [CVSS 6.5 MEDIUM]
FreeRDP prior to 3.21.0 has a use-after-free vulnerability in offscreen bitmap deletion that leaves dangling pointers, exploitable by malicious RDP servers for client-side code execution.
FreeRDP prior to 3.21.0 has a use-after-free vulnerability in xf_Pointer_New where cursor data is freed prematurely, allowing malicious RDP servers to execute code on clients.
ESPHome versions 2025.9.0 through 2025.12.6 are vulnerable to a denial-of-service attack via integer overflow in the API protobuf decoder, affecting all supported microcontroller platforms (ESP32, ESP8266, RP2040, LibreTiny). Unauthenticated attackers can crash ESPHome devices by sending specially crafted packets with large field length values to bypass bounds checking when API encryption is disabled. Upgrade to version 2025.12.7 or later to remediate.
FreeRDP versions before 3.21.0 contain a buffer overflow in FastGlyph parsing where a malicious Remote Desktop server can crash the client by sending specially crafted glyph data that bypasses length validation. A remote attacker can exploit this vulnerability without authentication to cause denial of service, and public exploit code exists. The vulnerability affects FreeRDP clients connecting to untrusted or compromised RDP servers, with no patch currently available for most deployments.
FreeRDP prior to 3.21.0 contains a client-side heap buffer overflow in session data processing, the fifth in a series of seven critical heap overflows fixed in version 3.21.0.
FreeRDP prior to 3.21.0 has another client-side heap buffer overflow that can be exploited by malicious RDP servers to achieve remote code execution on connected clients.
FreeRDP prior to 3.21.0 has a client-side heap buffer overflow that can be triggered by a malicious RDP server during session data processing, enabling remote code execution.
FreeRDP prior to 3.21.0 has a heap buffer overflow in ClearCodec glyph data processing that allows a malicious RDP server to execute arbitrary code on connected clients.
FreeRDP prior to 3.21.0 has a heap buffer overflow in bitmap decompression (planar codec) that can be triggered by a malicious RDP server to execute code on the client.
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. [CVSS 7.5 HIGH]
A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. [CVSS 5.3 MEDIUM]
A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. [CVSS 5.3 MEDIUM]
A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. [CVSS 5.3 MEDIUM]
A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. [CVSS 5.3 MEDIUM]
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.