Denial of Service
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.
How It Works
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.
The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.
Impact
- Service unavailability preventing legitimate users from accessing applications during attack duration
- Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
- Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
- SLA violations triggering financial penalties and damaging customer trust
- Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently
Real-World Examples
CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.
Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.
CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.
Mitigation
- Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
- Request rate limiting per IP address, API key, or user session with exponential backoff
- Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
- Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
- Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
- Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
- Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion
Recent CVEs (5562)
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. [CVSS 6.5 MEDIUM]
Nr15 versions up to - is affected by improper check for unusual or exceptional conditions (CVSS 6.5).
In Modem, there is a possible read of uninitialized heap data due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. [CVSS 6.5 MEDIUM]
iccDEV ICC color profile processing library versions 2.3.1 and below contain an infinite loop in the CalcProfileID function that allows unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and affected systems should upgrade to version 2.3.1.1 or later to remediate the issue.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]
Denial of service in Anthropic MCP TypeScript SDK up to version 1.25.1 stems from catastrophic backtracking in regex processing of RFC 6570 URI templates, allowing remote attackers to trigger excessive CPU consumption and crash Node.js processes without authentication. Public exploit code exists for this vulnerability. The lack of available patches leaves affected systems exposed until upgrades to patched versions are deployed.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. [CVSS 4.3 MEDIUM]
Evershop contains a vulnerability that allows attackers to exhaust the application server's resources via the "GET /images" API (CVSS 7.5).
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service. [CVSS 5.9 MEDIUM]
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service. [CVSS 6.2 MEDIUM]
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service. [CVSS 5.1 MEDIUM]
An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400. Incorrect handling of RRC packets leads to a Denial of Service. [CVSS 7.5 HIGH]
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service. [CVSS 7.1 HIGH]
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. [CVSS 7.5 HIGH]
gpsd (before commit dc966aa) has a heap buffer overflow in the NMEA2000 satellite view handler (PGN 129540). A malicious satellite count value overwrites the skyview array, enabling code execution on GPS daemon processes. PoC available, patch available.
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 6.5 MEDIUM]
A buffer overflow vulnerability has been reported to affect License Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 6.5 MEDIUM]
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 6.5 MEDIUM]
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 6.5 MEDIUM]
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]
A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. [CVSS 3.3 LOW]
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. [CVSS 3.3 LOW]
A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. [CVSS 3.3 LOW]
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). [CVSS 7.5 HIGH]
Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. [CVSS 6.5 MEDIUM]
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). [CVSS 4.9 MEDIUM]
Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. No vendor patch available.
Linux kernel iomap subsystem fails to allocate the s_dio_done_wq workqueue for asynchronous read operations, causing read error completions deferred by commit 222f2c7c6d14 to lack proper execution context and potentially leading to information disclosure or system instability. The vulnerability affects Linux kernel versions where the read error completion deferral was implemented without corresponding workqueue allocation for async reads. With an EPSS score of 0.01% and no evidence of active exploitation, this is a low-probability but correctness-critical issue affecting async I/O error handling on affected kernel versions.
A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify, a TypeScript library for building ActivityPub federated servers, where maliciously crafted HTML responses can cause catastrophic backtracking in the document loader's HTML parsing regex. The vulnerability affects versions prior to 1.6.13, 1.7.14, 1.8.15, and 1.9.2, allowing remote attackers to cause denial of service without authentication. A public proof-of-concept exploit is available, though the EPSS score of 0.13% indicates relatively low exploitation likelihood in the wild.
Linux kernel AMD platform management controller (PMC) driver lacks Van Gogh SoC suspend handler support, preventing S0ix suspend operations on affected devices and causing GPU driver crashes during resume due to power management failures. ASUS ROG Ally (non-X) handheld gaming devices are directly impacted. Local attackers or unprivileged users can trigger denial of service by attempting system suspend, rendering the device unresponsive and forcing a hard reboot. The vulnerability carries low exploitation probability (EPSS 0.03%) but affects a specific consumer hardware class; upstream patches are available in stable kernel branches.
Missing authentication on the HTTPS connectAP interface in TP-Link Tapo C200 V3 firmware (versions 1.3.3 through 1.4.1) allows adjacent network attackers to remotely reconfigure device Wi-Fi settings, causing permanent denial-of-service until manual intervention. The vulnerability exploits CWE-306 (Missing Authentication for Critical Function) with CVSS 8.7 severity, requiring only adjacent network access with low attack complexity and no user interaction. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the technical barrier is minimal for LAN-positioned adversaries.