CVE Vulnerabilities

CVE-2026-32280

Allocation of Resources Without Limits or Throttling

Published: Apr 08, 2026 | Modified: Jul 02, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Weakness

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Software

NameVendorStart VersionEnd Version
GoGolang*1.25.9 (excluding)
GoGolang1.26.0 (including)1.26.2 (excluding)
Cryostat 4 on RHEL 9RedHatcryostat/cryostat-storage-rhel9:4.1.1-7*
HawtIO HawtIO 4.4.0RedHathawtio-operator-container*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatautomation-gateway-proxy-0:2.5.10-6.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatreceptor-0:1.6.5-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatautomation-gateway-proxy-0:2.6.14-3.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatreceptor-0:1.6.5-1.el9ap*
Red Hat Ansible Automation Platform 2.6 for RHEL 10RedHatreceptor-0:1.6.5-1.el10ap*
Red Hat Ansible Automation Platform 2.6 for RHEL 9RedHatautomation-gateway-proxy-0:2.6.14-3.el9ap*
Red Hat Ansible Automation Platform 2.6 for RHEL 9RedHatreceptor-0:1.6.5-1.el9ap*
Red Hat Enterprise Linux 10RedHatgolang-0:1.25.9-3.el10_1*
Red Hat Enterprise Linux 10RedHatgit-lfs-0:3.7.1-4.el10_2*
Red Hat Enterprise Linux 10RedHatopentelemetry-collector-0:0.144.0-2.el10_2*
Red Hat Enterprise Linux 10RedHatgolang-github-openprinting-ipp-usb-0:0.9.27-7.el10_2*
Red Hat Enterprise Linux 10RedHatrhc-1:0.3.8-5.el10_2*
Red Hat Enterprise Linux 10RedHatgo-fdo-client-0:1.0.0-4.el10_2*
Red Hat Enterprise Linux 10RedHatgo-fdo-server-0:1.0.1-2.el10_2*
Red Hat Enterprise Linux 10RedHatdelve-0:1.26.1-2.el10_2*
Red Hat Enterprise Linux 10RedHatpodman-7:5.8.2-3.el10_2*
Red Hat Enterprise Linux 10RedHatyggdrasil-0:0.4.9-5.el10_2*
Red Hat Enterprise Linux 10RedHatskopeo-2:1.22.2-2.el10_2*
Red Hat Enterprise Linux 10RedHatbuildah-2:1.43.1-2.el10_2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgolang-0:1.25.9-1.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgvisor-tap-vsock-6:0.8.5-2.el10_0.1*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgrafana-pcp-0:5.2.2-6.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgrafana-0:10.2.6-24.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatyggdrasil-0:0.4.7-4.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgolang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.4*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatrhc-worker-playbook-0:0.2.3-5.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgit-lfs-0:3.6.1-2.el10_0.4*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatosbuild-composer-0:134.1-7.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatbuildah-2:1.39.9-1.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatpodman-6:5.4.0-15.el10_0.2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatskopeo-2:1.18.1-3.el10_0.2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatrhc-1:0.3.2-4.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatdelve-0:1.25.2-4.el10_0*
Red Hat Enterprise Linux 7 Extended Lifecycle SupportRedHathost-metering-0:1.4.0-7.el7_9*
Red Hat Enterprise Linux 8RedHatgo-toolset:rhel8-8100020260422204008.a3795dee*
Red Hat Enterprise Linux 8RedHatgrafana-0:9.2.10-30.el8_10*
Red Hat Enterprise Linux 8RedHatgrafana-pcp-0:5.1.1-14.el8_10*
Red Hat Enterprise Linux 8RedHatrhc-1:0.2.5-7.el8_10*
Red Hat Enterprise Linux 8RedHatgit-lfs-0:3.4.1-10.el8_10*
Red Hat Enterprise Linux 8RedHatcontainer-tools:rhel8-8100020260520103055.afee755d*
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRedHatcontainer-tools:rhel8-8060020260515174849.ad008a3a*
Red Hat Enterprise Linux 8.6 Telecommunications Update ServiceRedHatcontainer-tools:rhel8-8060020260515174849.ad008a3a*
Red Hat Enterprise Linux 8.6 Update Services for SAP SolutionsRedHatcontainer-tools:rhel8-8060020260515174849.ad008a3a*
Red Hat Enterprise Linux 9RedHatgolang-0:1.25.9-1.el9_7*
Red Hat Enterprise Linux 9RedHatgit-lfs-0:3.6.1-8.el9_7.1*
Red Hat Enterprise Linux 9RedHatgit-lfs-0:3.7.1-4.el9_8*
Red Hat Enterprise Linux 9RedHatopentelemetry-collector-0:0.144.0-2.el9_8*
Red Hat Enterprise Linux 9RedHatrhc-1:0.2.7-7.el9_8*
Red Hat Enterprise Linux 9RedHatpodman-6:5.8.2-3.el9_8*
Red Hat Enterprise Linux 9RedHatskopeo-2:1.22.2-6.el9_8*
Red Hat Enterprise Linux 9RedHatbuildah-2:1.43.1-2.el9_8*
Red Hat Enterprise Linux 9RedHatrunc-4:1.4.2-2.el9_8*
Red Hat Enterprise Linux 9RedHatcontainernetworking-plugins-1:1.9.0-3.el9_8*
Red Hat Enterprise Linux 9.4 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el9_4*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatbuildah-2:1.33.15-1.el9_4.1*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatpodman-4:4.9.4-20.el9_4.3*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatskopeo-2:1.14.6-1.el9_4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgolang-0:1.25.9-1.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatpodman-5:5.4.0-20.el9_6.3*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgit-lfs-0:3.6.1-2.el9_6.4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgrafana-pcp-0:5.1.1-14.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgrafana-0:10.2.6-21.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatbuildah-2:1.39.9-1.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatcontainernetworking-plugins-1:1.6.2-3.el9_6.1*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatskopeo-2:1.18.1-5.el9_6.1*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatosbuild-composer-0:132.2-7.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatrhc-1:0.2.7-1.el9_6.4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgvisor-tap-vsock-6:0.8.5-2.el9_6.2*
Red Hat OpenShift Container Platform 4.14RedHatcontainernetworking-plugins-1:1.4.0-6.rhaos4.14.el8*
Red Hat OpenShift Container Platform 4.14RedHatpodman-3:4.4.1-25.rhaos4.14.el8*
Red Hat OpenShift Container Platform 4.14RedHatskopeo-2:1.11.3-7.rhaos4.14.el8*
Red Hat OpenShift Container Platform 4.18RedHatcontainernetworking-plugins-1:1.4.0-9.rhaos4.18.el8*
Red Hat OpenShift Container Platform 4.18RedHatpodman-5:5.2.2-12.rhaos4.18.el8*
Red Hat OpenShift Container Platform 4.18RedHatrunc-4:1.2.9-6.rhaos4.18.el8*
Red Hat OpenShift Container Platform 4.18RedHatskopeo-2:1.16.1-5.rhaos4.18.el8*
Red Hat OpenShift Container Platform 4.18RedHatose-aws-ecr-image-credential-provider-0:4.18.0-202606021914.p2.gc395190.assembly.stream.el8*
Red Hat OpenShift Container Platform 4.18RedHatose-azure-acr-image-credential-provider-0:4.18.0-202606021914.p2.g9c24d76.assembly.stream.el8*
Red Hat OpenShift Container Platform 4.18RedHatose-gcp-gcr-image-credential-provider-0:4.18.0-202606021914.p2.g6ea2356.assembly.stream.el8*
Red Hat OpenShift Container Platform 4.19RedHatrunc-4:1.2.5-6.rhaos4.19.el9*
Red Hat OpenShift Container Platform 4.19RedHatskopeo-2:1.18.1-6.rhaos4.19.el9*
Red Hat OpenStack Platform 17.1 for RHEL 9RedHatetcd-0:3.4.26-9.5.el9ost*
Red Hat Satellite 6.16 for RHEL 8RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el8sat*
Red Hat Satellite 6.16 for RHEL 9RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el9sat*
Red Hat Satellite 6.19 for RHEL 9RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el9sat*
Custom Metric Autoscaler 2.19RedHatcustom-metrics-autoscaler/custom-metrics-autoscaler-rhel9:1780101239*
Logging Subsystem for Red Hat OpenShift 6.0RedHatopenshift-logging/eventrouter-rhel9:1781192891*
Logging Subsystem for Red Hat OpenShift 6.4RedHatopenshift-logging/eventrouter-rhel9:1780051640*
Mirror registry for Red Hat OpenShift 2.0RedHatopenshift/mirror-registry-rhel8:1782177012*
Multicluster engine for Kubernetes 2.10RedHatmulticluster-engine/assisted-service-9-rhel9:1780106633*
Multicluster engine for Kubernetes 2.11RedHatmulticluster-engine/assisted-service-9-rhel9:1779991600*
Multicluster engine for Kubernetes 2.17RedHatmulticluster-engine/assisted-service-9-rhel9:1780297056*
Multicluster engine for Kubernetes 2.6RedHatmulticluster-engine/assisted-service-8-rhel8:1782203678*
Multicluster engine for Kubernetes 2.6RedHatmulticluster-engine/assisted-service-9-rhel9:1782207490*
Multicluster engine for Kubernetes 2.8RedHatmulticluster-engine/assisted-service-8-rhel8:1779910504*
Multicluster engine for Kubernetes 2.8RedHatmulticluster-engine/assisted-service-9-rhel9:1779910129*
Multicluster Global Hub 1.4.5RedHatmulticluster-globalhub/multicluster-globalhub-agent-rhel9:1779838819*
Multicluster Global Hub 1.5.4RedHatmulticluster-globalhub/multicluster-globalhub-agent-rhel9:1779828691*
Multicluster Global Hub 1.6.2RedHatmulticluster-globalhub/multicluster-globalhub-agent-rhel9:1780320809*
Network Observability (NETOBSERV) 1.11.2RedHatnetwork-observability/network-observability-cli-rhel9:1778508501*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-rhel9:1779809598*
OpenShift API for Data Protection 1.5RedHatoadp/oadp-velero-rhel9:1779808027*
OpenShift Compliance Operator 1RedHatcompliance/openshift-compliance-operator-bundle:1781605005*
Red Hat Advanced Cluster Management for Kubernetes 2.14RedHatrhacm2/subctl-rhel9:1780238563*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-main-rhel8:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-rhel8-operator:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-roxctl-rhel8:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-scanner-v4-rhel8:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-scanner-rhel8:1778755463*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-scanner-slim-rhel8:1778755463*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-main-rhel8:1777986630*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-rhel8-operator:1777986630*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-roxctl-rhel8:1777986630*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-scanner-v4-rhel8:1777986630*
Red Hat Ansible Automation Platform 2.6RedHatansible-automation-platform-26/receptor-rhel9:1777391542*
Red Hat Developer Hub 1.8RedHatrhdh/rhdh-rhel9-operator:1779841292*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-rhel9-operator:1777902709*
Red Hat Lightspeed (formerly Insights) for Runtimes 1RedHatrh-lightspeed-runtimes/runtimes-inventory-rhel9-operator:1.0.3-1779996197*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-rhel9-operator:1780513840*
Red Hat OpenShift Builds 1.7.3RedHatopenshift-builds/openshift-builds-waiters-rhel9:1780374228*
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/udi-rhel9:1779829736*
Red Hat OpenShift distributed tracing 3.9.3RedHatrhosdt/opentelemetry-collector-rhel9:1778056267*
Red Hat OpenShift distributed tracing 3.9.3RedHatrhosdt/opentelemetry-rhel9-operator:1778056233*
Red Hat OpenShift distributed tracing 3.9.3RedHatrhosdt/opentelemetry-target-allocator-rhel9:1778056245*
Red Hat OpenShift distributed tracing 3.9.3RedHatrhosdt/tempo-rhel9:1776435680*
Red Hat OpenShift Service Mesh 2.6RedHatopenshift-service-mesh/istio-cni-rhel8:1777374598*
Red Hat OpenShift Service Mesh 2.6RedHatopenshift-service-mesh/istio-rhel8-operator:1777320087*
Red Hat OpenShift Service Mesh 2.6RedHatopenshift-service-mesh/pilot-rhel8:1777319850*
Red Hat OpenShift Service Mesh 2.6RedHatopenshift-service-mesh/ratelimit-rhel8:1777319773*
Red Hat OpenShift Service Mesh 2.6RedHatopenshift-service-mesh/kiali-rhel8:1778191378*
Red Hat OpenShift Service Mesh 3.0RedHatopenshift-service-mesh/istio-cni-rhel9:1777883393*
Red Hat OpenShift Service Mesh 3.0RedHatopenshift-service-mesh/istio-pilot-rhel9:1777883471*
Red Hat OpenShift Service Mesh 3.0RedHatopenshift-service-mesh/istio-rhel9-operator:1778149127*
Red Hat OpenShift Service Mesh 3.0RedHatopenshift-service-mesh/kiali-rhel9:1778164208*
Red Hat OpenShift Service Mesh 3.1RedHatopenshift-service-mesh/istio-cni-rhel9:1777884045*
Red Hat OpenShift Service Mesh 3.1RedHatopenshift-service-mesh/istio-pilot-rhel9:1777884022*
Red Hat OpenShift Service Mesh 3.1RedHatopenshift-service-mesh/istio-rhel9-operator:1778149657*
Red Hat OpenShift Service Mesh 3.1RedHatopenshift-service-mesh/kiali-rhel9:1778164042*
Red Hat OpenShift Service Mesh 3.2RedHatopenshift-service-mesh/istio-cni-rhel9:1778007597*
Red Hat OpenShift Service Mesh 3.2RedHatopenshift-service-mesh/istio-pilot-rhel9:1778007366*
Red Hat OpenShift Service Mesh 3.2RedHatopenshift-service-mesh/istio-rhel9-operator:1778150474*
Red Hat OpenShift Service Mesh 3.2RedHatopenshift-service-mesh/kiali-rhel9:1778163909*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/istio-cni-rhel9:1778007548*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/istio-pilot-rhel9:1778007569*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/istio-rhel9-operator:1778151060*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/kiali-rhel9:1778163986*
Red Hat OpenStack 1.5RedHatstf/sg-core-rhel9:1777452570*
Red Hat Quay 3.10RedHatquay/quay-rhel8:1779822261*
Red Hat Quay 3.14RedHatquay/quay-rhel8:1779689392*
Red Hat Quay 3.15RedHatquay/quay-rhel8:1780891395*
Red Hat Quay 3.16RedHatquay/quay-rhel9:1779204086*
Red Hat Quay 3.17RedHatquay/quay-rhel9:1779922205*
Red Hat Quay 3.9RedHatquay/quay-rhel8:1779811473*
Red Hat Trusted Artifact Signer 1.3RedHatrhtas/client-server-rhel9:1780399582*
Red Hat Web Terminal 1.11RedHatweb-terminal/web-terminal-exec-rhel9:1780423339*
Red Hat Web Terminal 1.12RedHatweb-terminal/web-terminal-exec-rhel9:1780425077*
Red Hat Web Terminal 1.13RedHatweb-terminal/web-terminal-exec-rhel9:1780425080*
Red Hat Web Terminal 1.14RedHatweb-terminal/web-terminal-exec-rhel9:1780424928*
Red Hat Web Terminal 1.15RedHatweb-terminal/web-terminal-exec-rhel9:1780424829*
Golang-1.10Ubuntuesm-infra/xenial*
Golang-1.13Ubuntuesm-apps-legacy/xenial*
Golang-1.13Ubuntuesm-apps/bionic*
Golang-1.13Ubuntuesm-apps/jammy*
Golang-1.13Ubuntuesm-apps/xenial*
Golang-1.13Ubuntuesm-infra/focal*
Golang-1.13Ubuntujammy*
Golang-1.14Ubuntuesm-infra/focal*
Golang-1.16Ubuntuesm-apps/bionic*
Golang-1.16Ubuntuesm-apps/focal*
Golang-1.17Ubuntujammy*
Golang-1.18Ubuntuesm-apps-legacy/xenial*
Golang-1.18Ubuntuesm-apps/bionic*
Golang-1.18Ubuntuesm-apps/focal*
Golang-1.18Ubuntuesm-apps/xenial*
Golang-1.18Ubuntujammy*
Golang-1.20Ubuntuesm-apps/focal*
Golang-1.20Ubuntuesm-apps/jammy*
Golang-1.20Ubuntujammy*
Golang-1.21Ubuntuesm-apps/focal*
Golang-1.21Ubuntuesm-apps/jammy*
Golang-1.21Ubuntuesm-apps/noble*
Golang-1.21Ubuntujammy*
Golang-1.21Ubuntunoble*
Golang-1.22Ubuntuesm-apps/focal*
Golang-1.22Ubuntuesm-apps/jammy*
Golang-1.22Ubuntujammy*
Golang-1.22Ubuntunoble*
Golang-1.23Ubuntudevel*
Golang-1.23Ubuntuesm-apps/jammy*
Golang-1.23Ubuntuesm-apps/noble*
Golang-1.23Ubuntuesm-apps/resolute*
Golang-1.23Ubuntujammy*
Golang-1.23Ubuntunoble*
Golang-1.23Ubuntuquesting*
Golang-1.23Ubunturesolute*
Golang-1.24Ubuntudevel*
Golang-1.24Ubuntuesm-apps/jammy*
Golang-1.24Ubuntuesm-apps/noble*
Golang-1.24Ubuntujammy*
Golang-1.24Ubuntunoble*
Golang-1.24Ubuntuquesting*
Golang-1.24Ubunturesolute*
Golang-1.25Ubuntuquesting*
Golang-1.25Ubunturesolute*
Golang-1.6Ubuntuesm-infra/xenial*

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”

  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution can be difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker.

  • If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.

  • Ensure that all failures in resource allocation place the system into a safe posture.

  • Use quotas or other resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.

  • When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.

  • Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).

References