Skip to main content

.NET CVE-2026-50649

| EUVDEUVD-2026-44399 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-14 microsoft
7.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.8 HIGH

Local delivery of a serialized payload (AV:L) requiring a user to open it (UI:R), no privileges needed (PR:N), yielding full code execution at user context (C/I/A:H).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:43 vuln.today
CVE Published
Jul 14, 2026 - 19:29 nvd
HIGH 7.8

DescriptionCVE.org

Deserialization of untrusted data in .NET allows an unauthorized attacker to execute code locally.

AnalysisAI

Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to target host
Delivery
Deliver crafted serialized payload to user
Exploit
User opens/processes malicious data
Execution
Trigger unsafe .NET deserialization gadget chain
Impact
Execute arbitrary code as user

Vulnerability AssessmentAI

Exploitation Exploitation requires local delivery of attacker-controlled serialized data to an application running on the affected .NET 8.0/9.0 runtime (or the bundled Visual Studio toolsets) that deserializes untrusted input, and it requires user interaction (CVSS UI:R) - a victim must open or process the malicious payload for code execution to occur. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The 7.8 CVSS score is driven by high C/I/A impact, but the vector materially constrains real-world risk: AV:L means the attacker needs local access to the target, and UI:R means a user must take an action (e.g., open a crafted file or run a malicious application) for exploitation to succeed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious serialized payload and delivers it as a file or data stream to a victim who runs a .NET application (or opens a project in Visual Studio) that deserializes it; when the victim opens or processes the payload, the embedded gadget chain triggers arbitrary code execution at the victim's privilege level. No public POC was referenced, and the local vector plus required user interaction mean the attacker relies on social engineering or a poisoned artifact rather than remote automation.
Remediation Patch available per vendor advisory: apply the Microsoft security updates for the affected .NET 8.0 and 9.0 runtimes and update Visual Studio 2022 (17.12 and 17.14) and Visual Studio 2026 (18.7) to the fixed builds published in the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50649; the input does not include a specific fixed version string, so retrieve the exact patched build from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running .NET 8.0, .NET 9.0, or Visual Studio 2022/2026, and restrict access to untrusted serialized data files from email and external sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47303 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-50528 HIGH
8.2 Jul 14

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve

CVE-2026-50646 HIGH
7.8 Jul 14

Local code execution in Microsoft .NET (Framework 3.5 through 4.8.1, .NET 8.0/9.0, and Visual Studio 2022/2026) arises f

CVE-2026-50650 HIGH
7.8 Jul 14

Local privilege elevation in Microsoft .NET Framework (and .NET 8.0/9.0 plus Visual Studio 2022/2026) via code injection

CVE-2026-57108 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or

Share

CVE-2026-50649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy