What is the CVSS score of CVE-2026-26171?

CVE-2026-26171 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.6%.

Which versions of Net 10 0 are affected by CVE-2026-26171?

Microsoft .NET Framework versions 8.0, 9.0, and 10.0 contain a remotely exploitable denial-of-service vulnerability that allows unauthenticated attackers to crash or degrade availability of…. A patch is available.

Is there a public PoC exploit available for CVE-2026-26171?

Yes, a public proof-of-concept exploit is available for CVE-2026-26171. Prioritise patching immediately. EPSS: 0.6%.

How to fix or mitigate CVE-2026-26171?

Within 24 hours: Identify all systems running .NET 8.0 (pre-8.0.26), .NET 9.0 (pre-9.0.15), or .NET 10.0 (pre-10.0.6) via asset inventory and configuration management systems. Within 7 days: Deploy vendor patches to .NET 8.0.26 or later, .NET 9.0.15 or later, and .NET 10.0.6 or later across all development, staging, and production environments; prioritize internet-facing applications. Within 30 days: Validate patch deployment through automated compliance scanning and conduct post-patch availability testing on critical applications.

Net 10 0 CVE-2026-26171

EUVD-2026-22404 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-04-14 microsoft

GHSA-w3x6-4m5h-cxqf

Denial Of Service Net 10 0 Net 8 0 Net 9 0

7.5

CVSS 3.1 · NVD

Temporal: 6.5

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

ENISA EUVD

HIGH

qualitative

CIRCL (temporal)

6.5 MEDIUM

cvss

SUSE

HIGH

qualitative

Red Hat

7.5 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 15:22 vuln.today

cvss_changed

PoC Detected

Apr 17, 2026 - 15:10 vuln.today

Public exploit code

Analysis Generated

Apr 14, 2026 - 19:35 vuln.today

EUVD ID Assigned

Apr 14, 2026 - 17:46 euvd

EUVD-2026-22404

Analysis Generated

Apr 14, 2026 - 17:46 vuln.today

Patch released

Apr 14, 2026 - 17:46 nvd

Patch available

CVE Published

Apr 14, 2026 - 16:58 nvd

HIGH 7.5

DescriptionCVE.org

Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.

AnalysisAI

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to exhaust system resources through network-based uncontrolled resource consumption. Affects .NET 8.0 versions prior to 8.0.26, .NET 9.0 versions prior to 9.0.15, and .NET 10.0 versions prior to 10.0.6. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify internet-exposed .NET application

Delivery

Craft resource-exhaustion payload

Exploit

Send malicious network requests

Execution

Trigger uncontrolled resource allocation

Persist

Exhaust system resources

Impact

Application becomes unresponsive

Access

Identify internet-exposed .NET application

Delivery

Craft resource-exhaustion payload

Exploit

Send malicious network requests

Execution

Trigger uncontrolled resource allocation

Persist

Exhaust system resources

Impact

Application becomes unresponsive

Vulnerability AssessmentAI

Exploitation	Remote unauthenticated attacker can exploit default .NET installations (versions not specified in description) by sending malicious network requests causing uncontrolled resource consumption. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS base score of 7.5 (High severity) reflects significant availability impact (A:H) with a network attack vector requiring no authentication (AV:N/PR:N) and low attack complexity (AC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker identifies a public-facing .NET web application or API running a vulnerable runtime version through banner grabbing or framework fingerprinting. The attacker crafts specially formed HTTP requests designed to trigger excessive resource allocation in the .NET runtime's request processing pipeline, such as deeply nested JSON structures, extremely large XML documents, or patterns that cause algorithmic complexity explosions in parsing or validation routines. …
Remediation	Organizations should upgrade to patched .NET runtime versions released by Microsoft. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running .NET 8.0 (pre-8.0.26), .NET 9.0 (pre-9.0.15), or .NET 10.0 (pre-10.0.6) via asset inventory and configuration management systems. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
SUSE Liberty Linux 10	Fixed
SUSE Liberty Linux 8	Fixed
SUSE Liberty Linux 9	Fixed

CVE-2026-26171 vulnerability details – vuln.today

Back

Net 10 0 CVE-2026-26171

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code