CWE · MITRE source
CWE-400Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (21)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-10 | Network Disconnect | SC | Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions. |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | SC | Fault tolerance reduces the impact of resource-exhaustion attacks against the organization's name services. |
SC-36 | Distributed Processing and Storage | SC | Spreading processing and storage across locations prevents a single resource pool from being exhausted by one attack, mitigating uncontrolled consumption. |
CP-4 | Contingency Plan Testing | CP | Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption. |
CP-5 | Contingency Plan Update | CP | Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption. |
CP-7 | Alternate Processing Site | CP | Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability. |
SI-13 | Predictable Failure Prevention | SI | MTTF monitoring plus ready substitutes directly mitigate sustained resource exhaustion by allowing component swap before or at failure. |
SI-4 | System Monitoring | SI | Monitors for resource exhaustion and denial-of-service patterns that indicate uncontrolled consumption. |
SI-8 | Spam Protection | SI | Blocking or throttling unsolicited messages at entry/exit points prevents attackers from flooding queues, storage, or processing resources. |
SA-11 | Developer Testing and Evaluation | SA | Resource consumption and denial-of-service testing performed under the assessment plan detects uncontrolled allocation paths that are subsequently fixed. |
SA-24 | Design For Cyber Resiliency | SA | Resiliency techniques such as redundancy, throttling, and adaptive response limit uncontrolled resource consumption and denial-of-service effects. |
AC-10 | Concurrent Session Control | AC | Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account. |
AU-6 | Audit Record Review, Analysis, and Reporting | AU | Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts. |
IR-10 | Integrated Information Security Analysis Team | IR | The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses. |
MA-6 | Timely Maintenance | MA | Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks. |
Show 6 more broadly-applicable controls
SC-47 | Alternate Communications Paths | SC | Alternate paths allow continued C2 operations when an attacker exploits resource-consumption weaknesses against the primary channel. |
SC-5 | Denial-of-service Protection | SC | Directly limits uncontrolled resource consumption that leads to denial-of-service. |
SC-6 | Resource Availability | SC | Directly mitigates uncontrolled consumption by enforcing allocation limits/quotas that preserve availability for legitimate use. |
CP-8 | Telecommunications Services | CP | Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption. |
PL-6 | Security-related Activity Planning | PL | Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption. |
PM-6 | Measures of Performance | PM | Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-44228 KEV | 9.7 | 10.0 | 0.9446 | 2021-12-10 |
CVE-2023-44487 KEV | 9.2 | 7.5 | 0.9445 | 2023-10-10 |
CVE-2021-22883 | 6.9 | 7.5 | 0.8943 | 2021-03-03 |
CVE-2019-5645 | 6.8 | 7.5 | 0.8788 | 2020-09-01 |
CVE-2018-6389 | 6.7 | 7.5 | 0.8748 | 2018-02-06 |
CVE-2018-1000115 | 6.5 | 7.5 | 0.8253 | 2018-03-05 |
CVE-2018-17281 | 6.3 | 7.5 | 0.8026 | 2018-09-24 |
CVE-2023-28342 | 6.3 | 7.5 | 0.7955 | 2023-04-05 |
CVE-2016-8610 | 5.8 | 7.5 | 0.7113 | 2017-11-13 |
CVE-2016-10542 | 5.5 | 7.5 | 0.6607 | 2018-05-31 |
CVE-2011-3192 | 5.4 | 0.0 | 0.9046 | 2011-08-29 |
CVE-2019-0199 | 5.4 | 7.5 | 0.6558 | 2019-04-10 |
CVE-2023-23552 | 5.3 | 7.5 | 0.6334 | 2023-02-01 |
CVE-2023-43622 | 5.2 | 7.5 | 0.6126 | 2023-10-23 |
CVE-2020-8277 | 5.1 | 7.5 | 0.5917 | 2020-11-19 |
CVE-2017-16086 | 5.0 | 7.5 | 0.5777 | 2018-06-07 |
CVE-2018-16843 | 4.8 | 7.5 | 0.5554 | 2018-11-07 |
CVE-2022-29885 | 4.8 | 7.5 | 0.5553 | 2022-05-12 |
CVE-2024-26212 | 4.7 | 7.5 | 0.5395 | 2024-04-09 |
CVE-2019-9512 | 4.6 | 7.5 | 0.5123 | 2019-08-13 |
CVE-2023-36606 | 4.5 | 7.5 | 0.4976 | 2023-10-10 |
CVE-2015-7978 | 4.1 | 7.5 | 0.4255 | 2017-01-30 |
CVE-2025-26673 | 4.1 | 7.5 | 0.4412 | 2025-04-08 |
CVE-2025-32724 | 4.1 | 7.5 | 0.4412 | 2025-06-10 |
CVE-2003-0714 | 4.0 | 0.0 | 0.6700 | 2003-11-17 |