Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local file/project delivery gives AV:L with UI:R for the victim opening it; no app privileges needed (PR:N); code execution in user context yields C:H/I:H/A:H.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Protection mechanism failure in .NET Framework allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft .NET (Framework 3.5 through 4.8.1, .NET 8.0/9.0, and Visual Studio 2022/2026) arises from a protection mechanism failure (CWE-693) that lets an unauthorized attacker run arbitrary code once a victim is lured into opening a malicious file or project. The flaw requires user interaction (UI:R) and local delivery (AV:L) but no prior privileges (PR:N), yielding high confidentiality, integrity, and availability impact and a 7.8 CVSS score. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local delivery of attacker-controlled content and the victim performing an action to open or process it (CVSS UI:R), so this is not remotely triggerable without interaction; the target host must have one of the affected .NET Framework versions (3.5-4.8.1), the .NET 8.0/9.0 runtime, or Visual Studio 2022 (17.12/17.14) / 2026 (18.7) installed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H = 7.8 High) describes a locally-delivered, low-complexity attack that needs no privileges but does need the victim to take an action, capping it below network-wormable criticality. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious file, solution, or project that abuses the failed .NET protection mechanism and delivers it to a victim by email, chat, or a shared repository. When the user opens the content on a machine with a vulnerable .NET runtime or Visual Studio build (AV:L, UI:R), the bypass triggers and arbitrary code runs in the victim's security context. … |
| Remediation | Apply the vendor patch: Patch available per vendor advisory (Microsoft) - install the security updates referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50646 for each affected component, which for the in-box .NET Framework arrive via the monthly Windows cumulative/security-only updates and for .NET 8.0/9.0 via the corresponding runtime servicing release, while Visual Studio 2022 (17.12/17.14) and 2026 (18.7) are fixed through their in-product updater. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running affected Microsoft .NET Framework versions (3.5-4.8.1, 8.0, 9.0) and Visual Studio editions (2022, 2026), prioritizing development workstations and servers hosting .NET applications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully
Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve
Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe d
Local privilege elevation in Microsoft .NET Framework (and .NET 8.0/9.0 plus Visual Studio 2022/2026) via code injection
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44397