Skip to main content

ASP.NET Core CVE-2026-45591

| EUVDEUVD-2026-35549 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 secure@microsoft.com GHSA-f8h2-vmm9-qhj6
7.5
CVSS 3.1 · Vendor: microsoft
Temporal: 6.5
Share

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.5 MEDIUM
cvss
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:15 vuln.today

DescriptionCVE.org

Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.

AnalysisAI

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disrupt application availability. The CVSS 7.5 score reflects high availability impact with low attack complexity and no required privileges or user interaction, though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed ASP.NET Core endpoint
Delivery
Craft resource-exhausting HTTP requests
Exploit
Send sustained request flood
Execution
Trigger uncontrolled allocation in framework
Persist
Exhaust CPU/memory/threads
Impact
Application becomes unresponsive to legitimate users

Vulnerability AssessmentAI

Exploitation The target must be a network-reachable ASP.NET Core application (Kestrel-hosted directly, behind IIS via the ASP.NET Core Module, or behind a reverse proxy that forwards the offending request pattern intact) running an affected, unpatched runtime version as enumerated in the MSRC advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and partially incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a stream of specially crafted HTTP requests to an internet-exposed ASP.NET Core endpoint that trigger the resource-consumption flaw, causing the worker process to allocate excessive CPU, memory, or threads until the application becomes unresponsive to legitimate users. Because the CVSS vector requires no privileges and no user interaction with low attack complexity, a single low-bandwidth attacker or small botnet could sustain the outage. …
Remediation Patch available per vendor advisory - apply the ASP.NET Core security updates published by Microsoft as referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45591, updating both the runtime and the ASP.NET Core Hosting Bundle (for IIS-hosted apps) to the fixed versions listed there, and redeploy self-contained applications rebuilt against the patched SDK. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: conduct full inventory of ASP.NET Core versions and deployment scope; consult MSRC advisory CVE-2026-45591 to identify affected versions; establish incident response procedures for DoS event mitigation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45490 HIGH
7.8 Jun 09

Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges

CVE-2025-26646 HIGH
8.0 May 13

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized att

CVE-2026-49941 HIGH
7.5 Jun 04

Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trig

CVE-2026-40198 HIGH
7.5 Apr 10

IPv6 address validation bypass in Net::CIDR::Lite for Perl (versions <0.23) allows remote attackers to circumvent IP acc

CVE-2026-57081 HIGH
7.5 Jun 30

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecod

CVE-2026-57080 HIGH
7.5 Jun 30

Remote memory exhaustion in the Net::BitTorrent Perl module (all versions through 2.0.1) lets any unauthenticated peer i

CVE-2026-45190 MEDIUM
6.5 May 10

Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing att

CVE-2026-8722 MEDIUM
6.5 Jun 03

Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthentic

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed

Share

CVE-2026-45591 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy