Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated network input triggers uncontrolled allocation with no user interaction (AV:N/AC:L/PR:N/UI:N); impact is availability-only DoS, so C:N/I:N/A:H.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
AnalysisAI
Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation (AV:N/AC:L/PR:N/UI:N) against network-reachable .NET 8.0/9.0/10.0 applications. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H describes a low-complexity, unauthenticated, network-reachable attack with high availability impact but no confidentiality or integrity impact - a classic remotely-triggerable DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the network sends specially crafted requests to an internet-facing ASP.NET Core service running an unpatched .NET runtime, each triggering disproportionate memory or thread allocation. With low attack complexity and no authentication or user interaction required, a modest volume of requests exhausts server resources and makes the application unresponsive to legitimate users. … |
| Remediation | Vendor-released patch: available from Microsoft - apply the updated .NET 8.0/9.0/10.0 runtime and SDK releases referenced in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50525), and update Visual Studio 2022 to 17.12/17.14 or Visual Studio 2026 to 18.7 where the SDK is consumed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and catalog all production and pre-production systems running .NET 8.0, 9.0, or 10.0, prioritizing internet-facing ASP.NET Core applications and APIs. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully
Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve
Denial of service via stack buffer overflow in .NET (versions 8.0, 9.0, 10.0) and Visual Studio 2022 (versions 17.12, 17
Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers
Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) a
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44393