CWE-400: Uncontrolled Resource Consumption — known CVE vulnerabilities
CVEs classified under CWE-400 (Uncontrolled Resource Consumption), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-46775 — CVSS 9.9 (critical): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable…
CVE-2025-61303 — CVSS 9.8 (critical): Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows…
CVE-2025-43193 — CVSS 9.8 (critical): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura…
CVE-2025-24269 — CVSS 9.8 (critical): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4. An app may be able to cause unexpected…
CVE-2025-24264 — CVSS 9.8 (critical): The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS…
CVE-2025-24260 — CVSS 9.8 (critical): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura…
CVE-2025-24247 — CVSS 9.8 (critical): A type confusion issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura…
CVE-2025-24211 — CVSS 9.8 (critical): This issue was addressed with improved memory handling. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4…
CVE-2025-24190 — CVSS 9.8 (critical): The issue was addressed with improved memory handling. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4…
CVE-2024-45166 — CVSS 9.8 (critical): An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Due to improper input validation, improper deserialization, and…
CVE-2024-39462 — CVSS 9.8 (critical): In the Linux kernel, the following vulnerability has been resolved: clk: bcm: dvp: Assign ->num before accessing ->hws Commit f316cdff8d67…
CVE-2022-48716 — CVSS 9.8 (critical): In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd938x: fix incorrect used of portid Mixer controls have…
CVE-2024-36543 — CVSS 9.8 (critical): Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for…
CVE-2023-41294 — CVSS 9.8 (critical): The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super Device services.
CVE-2023-28507 — CVSS 9.8 (critical): Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer…
CVE-2021-3821 — CVSS 9.8 (critical): A potential security vulnerability has been identified for certain HP multifunction printers (MFPs). The vulnerability may lead to Denial…
CVE-2013-20004 — CVSS 9.8 (critical): A flaw was found in StarWind iSCSI target. StarWind service does not limit client connections and allocates memory on each connection…
CVE-2021-1275 — CVSS 9.8 (critical): Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain…
CVE-2017-9104 — CVSS 9.8 (critical): An issue was discovered in adns before 1.5.2. It hangs, eating CPU, if a compression pointer loop is encountered.
CVE-2019-10750 — CVSS 9.8 (critical): deeply is vulnerable to Prototype Pollution in versions before 3.1.0. The function assign-deep could be tricked into adding or modifying…
CVE-2019-10747 — CVSS 9.8 (critical): set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or…
CVE-2019-2259 — CVSS 9.8 (critical): Resource allocation error while playing the video whose dimensions are more than supported dimension in Snapdragon Auto, Snapdragon…
CVE-2018-11936 — CVSS 9.8 (critical): Index of array is processed in a wrong way inside a while loop and result in invalid index (-1 or something else) leads to out of bound…
CVE-2019-10952 — CVSS 9.8 (critical): An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a…
CVE-2018-19282 — CVSS 9.8 (critical): Rockwell Automation PowerFlex 525 AC Drives 5.001 and earlier allow remote attackers to cause a denial of service by crashing the Common…
CVE-2015-4412 — CVSS 9.8 (critical): BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial…
CVE-2017-1000378 — CVSS 9.8 (critical): The NetBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that…
CVE-2017-9119 — CVSS 9.8 (critical): The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 allows attackers to cause a denial of service (memory consumption and…
CVE-2023-50707 — CVSS 9.6 (critical): Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the…
CVE-2026-22542: An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections…
CVE-2026-22540: The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since…
CVE-2025-64388: Denial of service of the web server through specific requests to this protocol
CVE-2025-58349 — CVSS 9.1 (critical): An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200…
CVE-2025-48609 — CVSS 9.1 (critical): In multiple functions of MmsProvider.java, there is a possible way to arbitrarily delete files which affect telephony, SMS, and MMS…
CVE-2025-53371 — CVSS 9.1 (critical): DiscordNotifications is an extension for MediaWiki that sends notifications of actions in your Wiki to a Discord channel…
CVE-2025-21547 — CVSS 9.1 (critical): Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions…
CVE-2024-45163 — CVSS 9.1 (critical): The Mirai botnet through 2024-08-19 mishandles simultaneous TCP connections to the CNC (command and control) server. Unauthenticated…
CVE-2024-30170 — CVSS 9.1 (critical): PrivX before 34.0 allows data exfiltration and denial of service via the REST API. This is fixed in minor versions 33.1, 32.3, 31.3, and…
CVE-2024-6036 — CVSS 9.1 (critical): A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to restart the server at will by sending a specific request…
CVE-2023-30769 — CVSS 9.1 (critical): Vulnerability discovered is related to the peer-to-peer (p2p) communications, attackers can craft consensus messages, send it to individual…
CVE-2022-24118 — CVSS 9.1 (critical): Certain General Electric Renewable Energy products allow attackers to use a code to trigger a reboot into the factory default…
CVE-2022-0671 — CVSS 9.1 (critical): A flaw was found in vscode-xml in versions prior to 0.19.0. Schema download could lead to blind SSRF or DoS via a large file.
CVE-2019-9750 — CVSS 9.1 (critical): In IoTivity through 1.3.1, the CoAP server interface can be used for Distributed Denial of Service attacks using source IP address spoofing…
CVE-2018-3767 — CVSS 9.1 (critical): `memjs` versions <= 1.1.0 allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage.
CVE-2025-61595: MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do…
CVE-2024-47210 — CVSS 8.8 (high): Gladys Assistant before 4.45.1 allows Privilege Escalation (a user changing their own role) because req.body.role can be used in…
CVE-2021-4440 — CVSS 8.8 (high): In the Linux kernel, the following vulnerability has been resolved: x86/xen: Drop USERGS_SYSRET64 paravirt call commit…
CVE-2020-19726 — CVSS 8.8 (high): An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory…
CVE-2022-28639 — CVSS 8.8 (high): A remote potential adjacent denial of service (DoS) and potential adjacent arbitrary code execution vulnerability that could potentially…
CVE-2020-15565 — CVSS 8.8 (high): An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain…