Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-789 (未经控制的内存分配) — Vulnerability Class 98

98 vulnerabilities classified as CWE-789 (未经控制的内存分配). AI Chinese analysis included.

CWE-789 represents a critical memory management weakness where software allocates resources based on unvalidated, excessively large size values provided by external inputs. This flaw typically arises when developers fail to enforce upper bounds on integer parameters before invoking allocation functions, allowing attackers to supply maliciously crafted values that trigger massive memory consumption. Exploitation often leads to denial-of-service conditions through system exhaustion or resource starvation, potentially destabilizing the entire host environment. To mitigate this risk, developers must implement rigorous input validation strategies that strictly check size parameters against predefined, safe thresholds before any allocation occurs. Additionally, utilizing language-specific bounds checking mechanisms and static analysis tools can help identify potential overflows early in the development lifecycle, ensuring that memory requests remain within acceptable operational limits and preventing arbitrary resource depletion.

MITRE CWE Description
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (Memory)
Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.
Mitigations (2)
Implementation, Architecture and DesignPerform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
OperationRun your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
Examples (2)
Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.
unsigned int size = GetUntrustedInt(); /* ignore integer overflow (CWE-190) for this example */ unsigned int totBytes = size * sizeof(char); char *string = (char *)malloc(totBytes); InitializeString(string);
Bad · C
Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.
unsigned int size = GetUntrustedInt(); HashMap list = new HashMap(size);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-66199 TLS 1.3 CompressedCertificate excessive memory allocation — OpenSSL 7.5AIHighAI2026-01-27
CVE-2026-22803 SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer — kit 7.5AIHighAI2026-01-15
CVE-2026-22026 CryptoLib Unbounded Memory Allocation in KMC HTTP Response Handler Allows Resource Exhaustion — CryptoLib 7.5 -2026-01-10
CVE-2025-12983 Memory Allocation with Excessive Size Value in GitLab — GitLab 3.5 Low2025-11-15
CVE-2025-2534 IBM Db2 denial of service — Db2 5.3 Medium2025-11-07
CVE-2025-11579 DoS via Out Of Memory Crash — rardecode 5.3 Medium2025-10-10
CVE-2025-61910 NASA ION-DTN BPv7 4.1.3s Uncontrolled Memory Allocation that leads to Denial-of-Service — ION-DTN 7.5 High2025-10-07
CVE-2025-8696 DoS attack against the Stork UI from an unauthenticated user — Stork 7.5 High2025-09-10
CVE-2025-23331 NVIDIA Triton Inference Server 安全漏洞 — Triton Inference Server 7.5 High2025-08-06
CVE-2025-54801 Fiber Susceptible to Crash via `BodyParser` Due to Unvalidated Large Slice Index in Decoder — fiber 7.5AIHighAI2025-08-05
CVE-2025-2533 IBM Db2 for Linux denial of service — Db2 5.3 Medium2025-07-29
CVE-2025-4605 USD File Parsing Memory Allocation Vulnerability — USD for Maya 6.6 Medium2025-06-11
CVE-2025-2518 IBM Db2 denial of service — Db2 for Linux, UNIX and Windows 5.3 Medium2025-05-29
CVE-2025-3632 IBM 4769 Developers Toolkit denial of service — 4769 Developers Toolkit 7.5 High2025-05-12
CVE-2025-20140 Cisco IOS XE 安全漏洞 — Cisco IOS XE Software 7.4 High2025-05-07
CVE-2025-27533 Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation — Apache ActiveMQ 7.5AIHighAI2025-05-07
CVE-2025-32386 Helm Allows A Specially Crafted Chart Archive To Cause Out Of Memory Termination — helm 6.5 Medium2025-04-09
CVE-2025-30211 KEX init error results with excessive memory usage — otp 7.5 High2025-03-28
CVE-2025-26618 SSH SFTP packet size not verified properly in Erlang OTP — otp 5.9 -2025-02-20
CVE-2025-20165 Cisco BroadWorks SIP Denial of Service Vulnerability — Cisco BroadWorks 7.5 High2025-01-22
CVE-2024-52791 Denial of service through memory exhaustion in Matrix Media Repo — matrix-media-repo 5.3 Medium2025-01-16
CVE-2024-41762 IBM Db2 denial of service — Db2 for Linux, UNIX and Windows 5.3 Medium2024-12-07
CVE-2024-37071 IBM Db2 denial of service — Db2 for Linux, UNIX and Windows 5.3 Medium2024-12-07
CVE-2024-41761 IBM Db2 denial of service — Db2 for Linux, UNIX and Windows 5.3 Medium2024-11-23
CVE-2022-20845 Cisco Network Convergence System 4000 Series TL1 Denial of Service Vulnerability — Cisco IOS XR Software 6.0 Medium2024-11-15
CVE-2024-20260 Cisco Adaptive Security Virtual Appliance and Secure Firewall Threat Defense Virtual SSL VPN Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 8.6 High2024-10-23
CVE-2024-40680 IBM MQ denial of service — MQ 5.5 Medium2024-09-07
CVE-2024-37529 IBM Db2 denial of service — Db2 for Linux, UNIX and Windows 6.5 Medium2024-08-14
CVE-2024-35152 IBM Db2 denial of service — Db2 for Linux, UNIX and Windows 6.5 Medium2024-08-14
CVE-2024-41132 SixLabors ImageSharp Allows Excessive Memory Allocation in Gif Decoder — ImageSharp 5.3 Medium2024-07-22

Vulnerabilities classified as CWE-789 (未经控制的内存分配) represent 98 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.