CWE · MITRE source
CWE-770Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 32 mapping(s) from 6 framework(s): CAPEC 19 (mostly) · ATT&CK 7 (full) · STIG oracle linux 8 2 (mostly) · STIG oracle linux 9 2 (mostly) · STIG rhel 8 1 (mostly) · ASVS 5.0 1 (partial)
NIST 800-53 r5 controls that address this weakness (15)AI
Showing the 11 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-10 | Network Disconnect | SC | Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections. |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | SC | Redundant provisioning limits the effectiveness of uncontrolled allocation attacks on resolution infrastructure. |
SC-36 | Distributed Processing and Storage | SC | Decentralized allocation inherently caps the resources available to any one component or attacker, countering unbounded allocation weaknesses. |
CP-4 | Contingency Plan Testing | CP | Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use. |
CP-5 | Contingency Plan Update | CP | Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages. |
CP-7 | Alternate Processing Site | CP | Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime. |
SI-13 | Predictable Failure Prevention | SI | Pre-planned substitution limits the window an attacker can exploit unbounded allocation to cause predictable component failure. |
SI-8 | Spam Protection | SI | The control enforces limits on message volume and unsolicited traffic, reducing the impact of resource allocations without throttling. |
AC-10 | Concurrent Session Control | AC | This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits. |
PL-6 | Security-related Activity Planning | PL | Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely. |
PM-6 | Measures of Performance | PM | Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks. |
Show 4 more broadly-applicable controls
SC-47 | Alternate Communications Paths | SC | Unbounded allocation or throttling attacks on one path are contained; the alternate path preserves organizational command functions. |
SC-5 | Denial-of-service Protection | SC | Requires throttling and limits on resource allocation to prevent exhaustion. |
SC-6 | Resource Availability | SC | Implements the missing limits and throttling on resource allocation that this weakness describes. |
CP-8 | Telecommunications Services | CP | Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-3566 KEV | 10.0 | 8.6 | 0.0363 | 2020-08-29 |
CVE-2020-3569 KEV | 10.0 | 8.6 | 0.0329 | 2020-09-23 |
CVE-2008-5180 | 8.0 | 5.3 | 0.6798 | 2008-11-20 |
CVE-2017-8779 | 8.0 | 7.5 | 0.8192 | 2017-05-04 |
CVE-2019-11478 | 8.0 | 5.3 | 0.9469 | 2019-06-19 |
CVE-2019-11479 | 8.0 | 7.5 | 0.9166 | 2019-06-19 |
CVE-2019-9511 | 8.0 | 7.5 | 0.5837 | 2019-08-13 |
CVE-2019-9514 | 8.0 | 7.5 | 0.8281 | 2019-08-13 |
CVE-2019-9515 | 8.0 | 7.5 | 0.8781 | 2019-08-13 |
CVE-2019-9516 | 8.0 | 6.5 | 0.5626 | 2019-08-13 |
CVE-2022-30522 | 8.0 | 7.5 | 0.9041 | 2022-06-09 |
CVE-2023-2650 | 8.0 | 6.5 | 0.7346 | 2023-05-30 |
CVE-2023-0921 | 8.0 | 4.3 | 0.8444 | 2023-06-06 |
CVE-2023-38039 | 8.0 | 7.5 | 0.6225 | 2023-09-15 |
CVE-2023-50387 | 8.0 | 7.5 | 1.0000 | 2024-02-14 |
CVE-2024-28182 UPD | 8.0 | 5.3 | 0.8496 | 2024-04-04 |
CVE-2024-27316 UPD | 8.0 | 7.5 | 0.9133 | 2024-04-04 |
CVE-2025-48976 UPD | 8.0 | 7.5 | 0.6326 | 2025-06-16 |
CVE-2025-48988 UPD | 8.0 | 7.5 | 0.5323 | 2025-06-16 |
CVE-2017-6640 | 7.0 | 9.8 | 0.1072 | 2017-06-08 |
CVE-2017-6713 | 7.0 | 9.8 | 0.0293 | 2017-07-06 |
CVE-2018-20033 | 7.0 | 9.8 | 0.0367 | 2019-02-25 |
CVE-2019-15753 | 7.0 | 9.1 | 0.0259 | 2019-08-28 |
CVE-2019-17067 | 7.0 | 9.8 | 0.0163 | 2019-10-01 |
CVE-2021-41591 | 7.0 | 9.4 | 0.0165 | 2021-10-04 |