Cyber Posture

CWE · MITRE source

CWE-770Allocation of Resources Without Limits or Throttling

Abstraction: Base · CVEs in our corpus: 1,740

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (15)AI

Showing the 11 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-10Network DisconnectSCImposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
SC-22Architecture and Provisioning for Name/Address Resolution ServiceSCRedundant provisioning limits the effectiveness of uncontrolled allocation attacks on resolution infrastructure.
SC-36Distributed Processing and StorageSCDecentralized allocation inherently caps the resources available to any one component or attacker, countering unbounded allocation weaknesses.
CP-4Contingency Plan TestingCPPlan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
CP-5Contingency Plan UpdateCPContingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
CP-7Alternate Processing SiteCPProvides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
SI-13Predictable Failure PreventionSIPre-planned substitution limits the window an attacker can exploit unbounded allocation to cause predictable component failure.
SI-8Spam ProtectionSIThe control enforces limits on message volume and unsolicited traffic, reducing the impact of resource allocations without throttling.
AC-10Concurrent Session ControlACThis control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
PL-6Security-related Activity PlanningPLExplicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
PM-6Measures of PerformancePMMeasures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Show 4 more broadly-applicable controls
SC-47Alternate Communications PathsSCUnbounded allocation or throttling attacks on one path are contained; the alternate path preserves organizational command functions.
SC-5Denial-of-service ProtectionSCRequires throttling and limits on resource allocation to prevent exhaustion.
SC-6Resource AvailabilitySCImplements the missing limits and throttling on resource allocation that this weakness describes.
CP-8Telecommunications ServicesCPAlternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2024-273166.97.50.89412024-04-04
CVE-2023-26506.86.50.92082023-05-30
CVE-2017-87796.47.50.81382017-05-04
CVE-2008-51805.75.30.76732008-11-20
CVE-2025-264664.95.90.62372025-02-28
CVE-2017-66404.79.80.46102017-06-08
CVE-2023-503874.67.50.51992024-02-14
CVE-2017-58504.57.50.49592017-03-27
CVE-2025-266824.37.50.47032025-04-08
CVE-2020-3569 KEV4.08.60.04692020-09-23
CVE-2021-366303.97.50.39922023-01-18
CVE-2020-3566 KEV3.88.60.02142020-08-29
CVE-2018-75823.77.50.36032018-03-09
CVE-2025-266773.77.50.35912025-05-13
CVE-2023-249983.57.50.33172023-02-20
CVE-2023-260483.35.30.36782023-04-18
CVE-2021-367983.27.50.27682021-08-09
CVE-2019-57373.17.50.26352019-03-28
CVE-2023-314723.17.50.26692023-05-09
CVE-2011-04192.90.00.48782011-05-16
CVE-2019-114782.85.30.29762019-06-19
CVE-2023-211442.77.50.20132023-06-15
CVE-2025-501722.76.50.23632025-08-12
CVE-2019-69752.67.50.18402019-02-11
CVE-2024-281822.65.30.24972024-04-04