Cyber Resilience

CWE · MITRE source

CWE-400Uncontrolled Resource Consumption

Abstraction: Class · CVEs in our corpus: 3,175

The product does not properly control the allocation and maintenance of a limited resource.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 8 mapping(s) from 2 framework(s): ATT&CK 5 (full) · CAPEC 3 (partial)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (21)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-10Network DisconnectSCTerminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.
SC-22Architecture and Provisioning for Name/Address Resolution ServiceSCFault tolerance reduces the impact of resource-exhaustion attacks against the organization's name services.
SC-36Distributed Processing and StorageSCSpreading processing and storage across locations prevents a single resource pool from being exhausted by one attack, mitigating uncontrolled consumption.
CP-4Contingency Plan TestingCPContingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
CP-5Contingency Plan UpdateCPUpdated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
CP-7Alternate Processing SiteCPAlternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
SI-13Predictable Failure PreventionSIMTTF monitoring plus ready substitutes directly mitigate sustained resource exhaustion by allowing component swap before or at failure.
SI-4System MonitoringSIMonitors for resource exhaustion and denial-of-service patterns that indicate uncontrolled consumption.
SI-8Spam ProtectionSIBlocking or throttling unsolicited messages at entry/exit points prevents attackers from flooding queues, storage, or processing resources.
SA-11Developer Testing and EvaluationSAResource consumption and denial-of-service testing performed under the assessment plan detects uncontrolled allocation paths that are subsequently fixed.
SA-24Design For Cyber ResiliencySAResiliency techniques such as redundancy, throttling, and adaptive response limit uncontrolled resource consumption and denial-of-service effects.
AC-10Concurrent Session ControlACLimiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
AU-6Audit Record Review, Analysis, and ReportingAUAnalysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
IR-10Integrated Information Security Analysis TeamIRThe team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.
MA-6Timely MaintenanceMATimely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.
Show 6 more broadly-applicable controls
SC-47Alternate Communications PathsSCAlternate paths allow continued C2 operations when an attacker exploits resource-consumption weaknesses against the primary channel.
SC-5Denial-of-service ProtectionSCDirectly limits uncontrolled resource consumption that leads to denial-of-service.
SC-6Resource AvailabilitySCDirectly mitigates uncontrolled consumption by enforcing allocation limits/quotas that preserve availability for legitimate use.
CP-8Telecommunications ServicesCPAlternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
PL-6Security-related Activity PlanningPLPlanning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.
PM-6Measures of PerformancePMPerformance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2004-1464 KEV10.05.90.05132004-12-31
CVE-2020-3566 KEV10.08.60.03632020-08-29
CVE-2020-3569 KEV10.08.60.03292020-09-23
CVE-2021-44228 KEV10.010.01.00002021-12-10
CVE-2023-38180 KEV10.07.50.15522023-08-08
CVE-2023-44487 KEV10.07.51.00002023-10-10
CVE-2026-45498 KEV UPD10.04.00.63082026-05-20
CVE-2026-28318 KEV UPD10.07.50.10662026-06-04
CVE-2003-07148.00.00.76392003-11-17
CVE-2006-13648.07.50.58742006-03-23
CVE-2009-25218.00.00.82262009-09-04
CVE-2011-07628.00.00.73322011-03-02
CVE-2011-31928.00.00.98952011-08-29
CVE-2017-56378.07.50.73652017-10-10
CVE-2018-63898.07.50.73102018-02-06
CVE-2018-10001158.07.50.88642018-03-05
CVE-2018-53908.07.50.73542018-08-06
CVE-2018-172818.07.50.53382018-09-24
CVE-2017-31448.07.50.72722019-01-16
CVE-2019-01998.07.50.72862019-04-10
CVE-2019-114788.05.30.94692019-06-19
CVE-2019-95118.07.50.58372019-08-13
CVE-2019-95128.07.50.83432019-08-13
CVE-2019-95138.07.50.82022019-08-13
CVE-2019-95148.07.50.82812019-08-13