Resource Exhaustion: How Attackers Can Overload Your Website

A resource exhaustion vulnerability can allow attackers to slow down, crash, or block access to a system by forcing it to use too many of its limited resources. This is the main idea behind CWE-400: Uncontrolled Resource Consumption. In this case, the issue is connected to the recent Microsoft Defender Denial of Service vulnerability, tracked as CVE-2026-45498.

In simple terms, imagine an application is like a small restaurant. The restaurant only has a certain number of tables, chairs, workers, plates, and food. These are the restaurant’s resources. A computer system also has resources, such as memory, processing power, database connections, and login capacity.

Normally, real users use a small amount of these resources at a time. The problem happens when an attacker finds a way to make the application use too many resources at once. This would be like someone walking into the restaurant and asking for every table, every plate, and all of the workers, even though they do not actually plan to eat there.

When this happens to an application, real users may not be able to access it anymore. The application may become slow, crash completely, or lock out legitimate users. This type of attack is commonly called a denial-of-service attack, or DoS. The goal is not always to steal information directly, but to make the system unavailable to the people who are supposed to use it. For example, if an attacker can force an application to use too much memory, the application may slow down. If it gets bad enough, the server running the application may also slow down or crash. This can affect more than just the application itself because other services on the same system may also be impacted.

Another concern is that some systems may fail in an unsafe way when they run out of resources. This is sometimes called failing open. In simple terms, imagine a locked door that normally checks whether someone is allowed to enter. If the lock gets overwhelmed and breaks, the safest thing would be for the door to stay locked. That would be failing closed. But if the door breaks and unlocks instead, that would be failing open. Failing open can be dangerous because the system may accidentally skip security checks or allow access that should have been blocked. In this case, a resource exhaustion attack may not only make the system slower or unavailable, but could also weaken the system’s security protections.

The best way to prevent this kind of vulnerability is to place limits on how many resources one user or request can use. Applications should use throttling or rate limiting so that one person cannot send too many requests too quickly. Login systems should be protected from repeated abuse, database requests should be limited where possible, and expensive actions should not be allowed to run endlessly. It is also important that the system handles failure safely. If the application runs out of memory, database connections, or processing power, it should not unlock protected areas, skip permissions, or expose information. It should fail in a safe way that protects the system and its users.

Resource exhaustion vulnerabilities are important because they can stop real users from accessing a service and may also cause the system to behave in unsafe ways. Even though this type of issue may sound simple, it can have a serious impact when attackers are able to abuse it at scale.