Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local delivery of a serialized payload (AV:L) requiring a user to open it (UI:R), no privileges needed (PR:N), yielding full code execution at user context (C/I/A:H).
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of untrusted data in .NET allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local delivery of attacker-controlled serialized data to an application running on the affected .NET 8.0/9.0 runtime (or the bundled Visual Studio toolsets) that deserializes untrusted input, and it requires user interaction (CVSS UI:R) - a victim must open or process the malicious payload for code execution to occur. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The 7.8 CVSS score is driven by high C/I/A impact, but the vector materially constrains real-world risk: AV:L means the attacker needs local access to the target, and UI:R means a user must take an action (e.g., open a crafted file or run a malicious application) for exploitation to succeed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious serialized payload and delivers it as a file or data stream to a victim who runs a .NET application (or opens a project in Visual Studio) that deserializes it; when the victim opens or processes the payload, the embedded gadget chain triggers arbitrary code execution at the victim's privilege level. No public POC was referenced, and the local vector plus required user interaction mean the attacker relies on social engineering or a poisoned artifact rather than remote automation. |
| Remediation | Patch available per vendor advisory: apply the Microsoft security updates for the affected .NET 8.0 and 9.0 runtimes and update Visual Studio 2022 (17.12 and 17.14) and Visual Studio 2026 (18.7) to the fixed builds published in the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50649; the input does not include a specific fixed version string, so retrieve the exact patched build from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running .NET 8.0, .NET 9.0, or Visual Studio 2022/2026, and restrict access to untrusted serialized data files from email and external sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully
Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve
Local code execution in Microsoft .NET (Framework 3.5 through 4.8.1, .NET 8.0/9.0, and Visual Studio 2022/2026) arises f
Local privilege elevation in Microsoft .NET Framework (and .NET 8.0/9.0 plus Visual Studio 2022/2026) via code injection
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44399