Cyber Resilience

CWE · MITRE source

CWE-770Allocation of Resources Without Limits or Throttling

Abstraction: Base · CVEs in our corpus: 1,938

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 32 mapping(s) from 6 framework(s): CAPEC 19 (mostly) · ATT&CK 7 (full) · STIG oracle linux 8 2 (mostly) · STIG oracle linux 9 2 (mostly) · STIG rhel 8 1 (mostly) · ASVS 5.0 1 (partial)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (15)AI

Showing the 11 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-10Network DisconnectSCImposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
SC-22Architecture and Provisioning for Name/Address Resolution ServiceSCRedundant provisioning limits the effectiveness of uncontrolled allocation attacks on resolution infrastructure.
SC-36Distributed Processing and StorageSCDecentralized allocation inherently caps the resources available to any one component or attacker, countering unbounded allocation weaknesses.
CP-4Contingency Plan TestingCPPlan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
CP-5Contingency Plan UpdateCPContingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
CP-7Alternate Processing SiteCPProvides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
SI-13Predictable Failure PreventionSIPre-planned substitution limits the window an attacker can exploit unbounded allocation to cause predictable component failure.
SI-8Spam ProtectionSIThe control enforces limits on message volume and unsolicited traffic, reducing the impact of resource allocations without throttling.
AC-10Concurrent Session ControlACThis control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
PL-6Security-related Activity PlanningPLExplicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
PM-6Measures of PerformancePMMeasures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Show 4 more broadly-applicable controls
SC-47Alternate Communications PathsSCUnbounded allocation or throttling attacks on one path are contained; the alternate path preserves organizational command functions.
SC-5Denial-of-service ProtectionSCRequires throttling and limits on resource allocation to prevent exhaustion.
SC-6Resource AvailabilitySCImplements the missing limits and throttling on resource allocation that this weakness describes.
CP-8Telecommunications ServicesCPAlternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2020-3566 KEV10.08.60.03632020-08-29
CVE-2020-3569 KEV10.08.60.03292020-09-23
CVE-2008-51808.05.30.67982008-11-20
CVE-2017-87798.07.50.81922017-05-04
CVE-2019-114788.05.30.94692019-06-19
CVE-2019-114798.07.50.91662019-06-19
CVE-2019-95118.07.50.58372019-08-13
CVE-2019-95148.07.50.82812019-08-13
CVE-2019-95158.07.50.87812019-08-13
CVE-2019-95168.06.50.56262019-08-13
CVE-2022-305228.07.50.90412022-06-09
CVE-2023-26508.06.50.73462023-05-30
CVE-2023-09218.04.30.84442023-06-06
CVE-2023-380398.07.50.62252023-09-15
CVE-2023-503878.07.51.00002024-02-14
CVE-2024-28182 UPD8.05.30.84962024-04-04
CVE-2024-27316 UPD8.07.50.91332024-04-04
CVE-2025-48976 UPD8.07.50.63262025-06-16
CVE-2025-48988 UPD8.07.50.53232025-06-16
CVE-2017-66407.09.80.10722017-06-08
CVE-2017-67137.09.80.02932017-07-06
CVE-2018-200337.09.80.03672019-02-25
CVE-2019-157537.09.10.02592019-08-28
CVE-2019-170677.09.80.01632019-10-01
CVE-2021-415917.09.40.01652021-10-04