Skip to main content

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity network DoS with no user interaction; availability-only impact (A:H) and no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:43 vuln.today
CVE Published
Jul 14, 2026 - 19:29 nvd
HIGH 7.5

DescriptionCVE.org

Allocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network.

AnalysisAI

Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-facing .NET service
Delivery
Send crafted request stream
Exploit
Trigger unbounded resource allocation
Execution
Exhaust memory/CPU/threads
Impact
Service becomes unavailable

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of network-facing Microsoft .NET and .NET Framework applications, per AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) describes a fully remote, unauthenticated, low-complexity attack with no user interaction and high availability impact but zero confidentiality or integrity impact - a classic network DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with only network access to an exposed .NET application sends a stream of crafted requests that each cause the runtime to allocate memory, threads, or connections without limit, driving the host to resource exhaustion. Because no authentication or user interaction is required (PR:N/UI:N) and complexity is low (AC:L), the requests can be scripted and repeated to keep the service unavailable. …
Remediation Patch available per vendor advisory: apply the Microsoft security updates referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50648 for each affected .NET and .NET Framework channel via Windows Update or the .NET update packages, and update affected Visual Studio 2022/2026 installations to the latest servicing release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all .NET deployments to identify affected versions (8.0, 9.0, 10.0, and Framework 3.5-4.8.1) and prioritize network-facing applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47303 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-50528 HIGH
8.2 Jul 14

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve

CVE-2026-32203 HIGH
7.5 Apr 14

Denial of service via stack buffer overflow in .NET (versions 8.0, 9.0, 10.0) and Visual Studio 2022 (versions 17.12, 17

CVE-2026-32178 HIGH
7.5 Apr 14

Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers

CVE-2026-50651 HIGH
7.5 Jul 14

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) a

Share

CVE-2026-50648 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy