CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
905 vulnerabilities reference this CWE, most recent first.
GHSA-M8RJ-PPPH-MJ33
Vulnerability from github – Published: 2025-10-01 15:53 – Updated: 2025-10-03 13:22Impact
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Patches
The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:
- Volto 16: 16.34.1
- Volto 17: 17.22.2
- Volto 18: 18.27.2
- Volto 19: 19.0.0-alpha6
Workarounds
Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.
Report
The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@plone/volto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.34.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@plone/volto"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0"
},
{
"fixed": "17.22.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@plone/volto"
},
"ranges": [
{
"events": [
{
"introduced": "18.0.0"
},
{
"fixed": "18.27.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@plone/volto"
},
"ranges": [
{
"events": [
{
"introduced": "19.0.0-alpha.1"
},
{
"fixed": "19.0.0-alpha.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61668"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-01T15:53:43Z",
"nvd_published_at": "2025-10-02T22:15:38Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.\n\n### Patches\nThe problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:\n\n- Volto 16: [16.34.1](https://github.com/plone/volto/releases/tag/16.34.1)\n- Volto 17: [17.22.2](https://github.com/plone/volto/releases/tag/17.22.2)\n- Volto 18: [18.27.2](https://github.com/plone/volto/releases/tag/18.27.2)\n- Volto 19: [19.0.0-alpha6](https://github.com/plone/volto/releases/tag/19.0.0-alpha.6)\n\n### Workarounds\nMake sure your setup automatically restarts processes that quit with an error. This won\u0027t prevent a crash, but it minimises downtime.\n\n### Report\nThe problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).",
"id": "GHSA-m8rj-ppph-mj33",
"modified": "2025-10-03T13:22:42Z",
"published": "2025-10-01T15:53:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/plone/volto/security/advisories/GHSA-m8rj-ppph-mj33"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61668"
},
{
"type": "WEB",
"url": "https://github.com/plone/volto/pull/7412"
},
{
"type": "WEB",
"url": "https://github.com/plone/volto/pull/7413"
},
{
"type": "WEB",
"url": "https://github.com/plone/volto/commit/58d9f82d2d50ca9a87edbe16fed91762e57c109c"
},
{
"type": "PACKAGE",
"url": "https://github.com/plone/volto"
},
{
"type": "WEB",
"url": "https://github.com/plone/volto/releases/tag/16.34.1"
},
{
"type": "WEB",
"url": "https://github.com/plone/volto/releases/tag/17.22.2"
},
{
"type": "WEB",
"url": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.6"
},
{
"type": "WEB",
"url": "http://github.com/plone/volto/releases/tag/18.27.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": " @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user "
}
GHSA-MCFX-6PWV-Q5V8
Vulnerability from github – Published: 2026-01-29 21:30 – Updated: 2026-03-09 18:31Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of service on incoming calls.
{
"affected": [],
"aliases": [
"CVE-2025-15542"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-29T19:16:11Z",
"severity": "MODERATE"
},
"details": "Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of service on incoming calls.",
"id": "GHSA-mcfx-6pwv-q5v8",
"modified": "2026-03-09T18:31:36Z",
"published": "2026-01-29T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15542"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/de/support/download/vx800v/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/faq/4930"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MF43-G8VP-9Q4M
Vulnerability from github – Published: 2026-05-18 09:31 – Updated: 2026-05-18 09:31Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633
{
"affected": [],
"aliases": [
"CVE-2026-4643"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-18T09:16:23Z",
"severity": "LOW"
},
"details": "Mattermost Desktop App versions \u003c=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633",
"id": "GHSA-mf43-g8vp-9q4m",
"modified": "2026-05-18T09:31:48Z",
"published": "2026-05-18T09:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4643"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MFWR-V65C-M55Q
Vulnerability from github – Published: 2026-04-13 06:30 – Updated: 2026-04-13 21:30Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard.
{
"affected": [],
"aliases": [
"CVE-2026-21007"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T06:16:05Z",
"severity": "MODERATE"
},
"details": "Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard.",
"id": "GHSA-mfwr-v65c-m55q",
"modified": "2026-04-13T21:30:42Z",
"published": "2026-04-13T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21007"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026\u0026month=04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MG3M-W94W-VR47
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2026-05-29 00:38A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause denial of HTTP and FTP services when a series of specially crafted requests is sent to the controller over HTTP.
{
"affected": [],
"aliases": [
"CVE-2020-7549"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-11T01:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause denial of HTTP and FTP services when a series of specially crafted requests is sent to the controller over HTTP.",
"id": "GHSA-mg3m-w94w-vr47",
"modified": "2026-05-29T00:38:31Z",
"published": "2022-05-24T17:36:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7549"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MGJ6-Q8HW-4XH2
Vulnerability from github – Published: 2022-12-19 12:30 – Updated: 2022-12-23 21:30Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions. This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.
{
"affected": [],
"aliases": [
"CVE-2022-32749"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-19T11:15:00Z",
"severity": "HIGH"
},
"details": "Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions. This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.",
"id": "GHSA-mgj6-q8hw-4xh2",
"modified": "2022-12-23T21:30:17Z",
"published": "2022-12-19T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32749"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHCF-92F4-9369
Vulnerability from github – Published: 2023-03-31 18:30 – Updated: 2023-04-10 18:30Improper Input Validation vulnerability in ABB AC500 V2 PM5xx allows Client-Server Protocol Manipulation.This issue affects AC500 V2: from 2.0.0 before 2.8.6.
{
"affected": [],
"aliases": [
"CVE-2022-3192"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-31T17:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Input Validation vulnerability in ABB AC500 V2 PM5xx allows Client-Server Protocol Manipulation.This issue affects AC500 V2: from 2.0.0 before 2.8.6.",
"id": "GHSA-mhcf-92f4-9369",
"modified": "2023-04-10T18:30:22Z",
"published": "2023-03-31T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3192"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=3ADR011162\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MHXW-PRXV-H6HR
Vulnerability from github – Published: 2024-07-11 18:31 – Updated: 2024-07-11 18:31An Improper Check for Unusual or Exceptional Conditions vulnerability in the the IKE daemon (iked) of Juniper Networks Junos OS on SRX Series, MX Series with SPC3 and NFX350 allows allows an unauthenticated, network-based attacker sending specific mismatching parameters as part of the IPsec negotiation to trigger an iked crash leading to Denial of Service (DoS).
This issue is applicable to all platforms that run iked. This issue affects Junos OS on SRX Series, MX Series with SPC3 and NFX350:
- All versions before 21.2R3-S8,
- from 21.4 before 21.4R3-S7,
- from 22.1 before 22.1R3-S2,
- from 22.2 before 22.2R3-S1,
- from 22.3 before 22.3R2-S1, 22.3R3,
- from 22.4 before 22.4R1-S2, 22.4R2, 22.4R3.
{
"affected": [],
"aliases": [
"CVE-2024-39545"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-11T17:15:13Z",
"severity": "HIGH"
},
"details": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the the IKE daemon (iked) of Juniper Networks Junos OS on SRX Series, MX Series with SPC3 and NFX350 allows allows an unauthenticated, network-based attacker sending specific mismatching parameters as part of the IPsec negotiation to trigger an iked crash leading to Denial of Service (DoS).\n\nThis issue is applicable to all platforms that run iked.\u00a0This issue affects Junos OS on SRX Series, MX Series with SPC3 and NFX350:\u00a0\n\n\n\n * All versions before 21.2R3-S8,\u00a0\n * from 21.4 before 21.4R3-S7,\u00a0\n * from 22.1 before 22.1R3-S2,\u00a0\n * from 22.2 before 22.2R3-S1,\u00a0\n * from 22.3 before 22.3R2-S1, 22.3R3,\u00a0\n * from 22.4 before 22.4R1-S2, 22.4R2, 22.4R3.",
"id": "GHSA-mhxw-prxv-h6hr",
"modified": "2024-07-11T18:31:13Z",
"published": "2024-07-11T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39545"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA83007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MM38-WHQG-H6QC
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399404. References: QC-CR#1094852.
{
"affected": [],
"aliases": [
"CVE-2017-0610"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-12T15:29:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399404. References: QC-CR#1094852.",
"id": "GHSA-mm38-whqg-h6qc",
"modified": "2022-05-13T01:40:20Z",
"published": "2022-05-13T01:40:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0610"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-05-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98255"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MP98-Q49W-JJHW
Vulnerability from github – Published: 2023-09-29 06:30 – Updated: 2024-04-04 07:58Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking eventName.startsWith() or eventName.toString(), while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.
{
"affected": [],
"aliases": [
"CVE-2023-30591"
],
"database_specific": {
"cwe_ids": [
"CWE-241",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-29T06:15:09Z",
"severity": "HIGH"
},
"details": "Denial-of-service in NodeBB \u003c= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.",
"id": "GHSA-mp98-q49w-jjhw",
"modified": "2024-04-04T07:58:03Z",
"published": "2023-09-29T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30591"
},
{
"type": "WEB",
"url": "https://github.com/NodeBB/NodeBB/commit/37b48b82a4bc7680c6e4c42647209010cb239c2c"
},
{
"type": "WEB",
"url": "https://github.com/NodeBB/NodeBB/commit/4d2d76897a02e7068ab74c81d17a2febfae8bfb9"
},
{
"type": "WEB",
"url": "https://github.com/NodeBB/NodeBB/commit/830f142b7aea2e597294a84d52c05aab3a3539ca"
},
{
"type": "WEB",
"url": "https://starlabs.sg/advisories/23/23-30591"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.