CWE · MITRE source
CWE-400Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 8 mapping(s) from 2 framework(s): ATT&CK 5 (full) · CAPEC 3 (partial)
NIST 800-53 r5 controls that address this weakness (21)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-10 | Network Disconnect | SC | Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions. |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | SC | Fault tolerance reduces the impact of resource-exhaustion attacks against the organization's name services. |
SC-36 | Distributed Processing and Storage | SC | Spreading processing and storage across locations prevents a single resource pool from being exhausted by one attack, mitigating uncontrolled consumption. |
CP-4 | Contingency Plan Testing | CP | Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption. |
CP-5 | Contingency Plan Update | CP | Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption. |
CP-7 | Alternate Processing Site | CP | Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability. |
SI-13 | Predictable Failure Prevention | SI | MTTF monitoring plus ready substitutes directly mitigate sustained resource exhaustion by allowing component swap before or at failure. |
SI-4 | System Monitoring | SI | Monitors for resource exhaustion and denial-of-service patterns that indicate uncontrolled consumption. |
SI-8 | Spam Protection | SI | Blocking or throttling unsolicited messages at entry/exit points prevents attackers from flooding queues, storage, or processing resources. |
SA-11 | Developer Testing and Evaluation | SA | Resource consumption and denial-of-service testing performed under the assessment plan detects uncontrolled allocation paths that are subsequently fixed. |
SA-24 | Design For Cyber Resiliency | SA | Resiliency techniques such as redundancy, throttling, and adaptive response limit uncontrolled resource consumption and denial-of-service effects. |
AC-10 | Concurrent Session Control | AC | Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account. |
AU-6 | Audit Record Review, Analysis, and Reporting | AU | Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts. |
IR-10 | Integrated Information Security Analysis Team | IR | The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses. |
MA-6 | Timely Maintenance | MA | Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks. |
Show 6 more broadly-applicable controls
SC-47 | Alternate Communications Paths | SC | Alternate paths allow continued C2 operations when an attacker exploits resource-consumption weaknesses against the primary channel. |
SC-5 | Denial-of-service Protection | SC | Directly limits uncontrolled resource consumption that leads to denial-of-service. |
SC-6 | Resource Availability | SC | Directly mitigates uncontrolled consumption by enforcing allocation limits/quotas that preserve availability for legitimate use. |
CP-8 | Telecommunications Services | CP | Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption. |
PL-6 | Security-related Activity Planning | PL | Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption. |
PM-6 | Measures of Performance | PM | Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2004-1464 KEV | 10.0 | 5.9 | 0.0513 | 2004-12-31 |
CVE-2020-3566 KEV | 10.0 | 8.6 | 0.0363 | 2020-08-29 |
CVE-2020-3569 KEV | 10.0 | 8.6 | 0.0329 | 2020-09-23 |
CVE-2021-44228 KEV | 10.0 | 10.0 | 1.0000 | 2021-12-10 |
CVE-2023-38180 KEV | 10.0 | 7.5 | 0.1552 | 2023-08-08 |
CVE-2023-44487 KEV | 10.0 | 7.5 | 1.0000 | 2023-10-10 |
CVE-2026-45498 KEV UPD | 10.0 | 4.0 | 0.6308 | 2026-05-20 |
CVE-2026-28318 KEV UPD | 10.0 | 7.5 | 0.1066 | 2026-06-04 |
CVE-2003-0714 | 8.0 | 0.0 | 0.7639 | 2003-11-17 |
CVE-2006-1364 | 8.0 | 7.5 | 0.5874 | 2006-03-23 |
CVE-2009-2521 | 8.0 | 0.0 | 0.8226 | 2009-09-04 |
CVE-2011-0762 | 8.0 | 0.0 | 0.7332 | 2011-03-02 |
CVE-2011-3192 | 8.0 | 0.0 | 0.9895 | 2011-08-29 |
CVE-2017-5637 | 8.0 | 7.5 | 0.7365 | 2017-10-10 |
CVE-2018-6389 | 8.0 | 7.5 | 0.7310 | 2018-02-06 |
CVE-2018-1000115 | 8.0 | 7.5 | 0.8864 | 2018-03-05 |
CVE-2018-5390 | 8.0 | 7.5 | 0.7354 | 2018-08-06 |
CVE-2018-17281 | 8.0 | 7.5 | 0.5338 | 2018-09-24 |
CVE-2017-3144 | 8.0 | 7.5 | 0.7272 | 2019-01-16 |
CVE-2019-0199 | 8.0 | 7.5 | 0.7286 | 2019-04-10 |
CVE-2019-11478 | 8.0 | 5.3 | 0.9469 | 2019-06-19 |
CVE-2019-9511 | 8.0 | 7.5 | 0.5837 | 2019-08-13 |
CVE-2019-9512 | 8.0 | 7.5 | 0.8343 | 2019-08-13 |
CVE-2019-9513 | 8.0 | 7.5 | 0.8202 | 2019-08-13 |
CVE-2019-9514 | 8.0 | 7.5 | 0.8281 | 2019-08-13 |