Skip to main content

.NET CVE-2026-50525

| EUVDEUVD-2026-44393 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-14 microsoft
7.5
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.5 HIGH

Unauthenticated network input triggers uncontrolled allocation with no user interaction (AV:N/AC:L/PR:N/UI:N); impact is availability-only DoS, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:45 vuln.today
CVE Published
Jul 14, 2026 - 19:29 nvd
HIGH 7.5

DescriptionCVE.org

Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.

AnalysisAI

Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed .NET service
Delivery
Send crafted request(s)
Exploit
Trigger unbounded resource allocation
Execution
Exhaust memory/threads
Impact
Service becomes unavailable

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation (AV:N/AC:L/PR:N/UI:N) against network-reachable .NET 8.0/9.0/10.0 applications. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H describes a low-complexity, unauthenticated, network-reachable attack with high availability impact but no confidentiality or integrity impact - a classic remotely-triggerable DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the network sends specially crafted requests to an internet-facing ASP.NET Core service running an unpatched .NET runtime, each triggering disproportionate memory or thread allocation. With low attack complexity and no authentication or user interaction required, a modest volume of requests exhausts server resources and makes the application unresponsive to legitimate users. …
Remediation Vendor-released patch: available from Microsoft - apply the updated .NET 8.0/9.0/10.0 runtime and SDK releases referenced in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50525), and update Visual Studio 2022 to 17.12/17.14 or Visual Studio 2026 to 18.7 where the SDK is consumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and catalog all production and pre-production systems running .NET 8.0, 9.0, or 10.0, prioritizing internet-facing ASP.NET Core applications and APIs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47303 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-50528 HIGH
8.2 Jul 14

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve

CVE-2026-32203 HIGH
7.5 Apr 14

Denial of service via stack buffer overflow in .NET (versions 8.0, 9.0, 10.0) and Visual Studio 2022 (versions 17.12, 17

CVE-2026-32178 HIGH
7.5 Apr 14

Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers

CVE-2026-50651 HIGH
7.5 Jul 14

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) a

Share

CVE-2026-50525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy