Skip to main content

.NET CVE-2026-50651

| EUVDEUVD-2026-44406 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-14 microsoft
7.5
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity network trigger with no user interaction; impact is availability-only resource exhaustion, so C and I are N and A is H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:52 vuln.today
CVE Published
Jul 14, 2026 - 19:40 nvd
HIGH 7.5

DescriptionCVE.org

Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.

AnalysisAI

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-facing .NET endpoint
Delivery
Send crafted resource-heavy requests
Exploit
Trigger unbounded allocation (CWE-770)
Execution
Exhaust memory/threads/connections
Impact
Service crash or unavailability

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation (AV:N/AC:L/PR:N/UI:N) against network-reachable Microsoft .NET applications built on the affected 8.0/9.0/10.0 runtimes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, score 7.5) indicates a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, with impact limited entirely to availability (no confidentiality or integrity loss). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to an internet-facing .NET service sends crafted or high-volume requests that coerce the runtime into allocating resources without bound, driving memory, thread, or connection consumption until the process degrades or crashes. Because no authentication or user interaction is required and attack complexity is low, this can be scripted and repeated to sustain an outage. …
Remediation Vendor-released patch: apply the updates published in the Microsoft advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50651 - install the latest servicing release for your .NET 8.0, 9.0, or 10.0 runtime/SDK and the corresponding Visual Studio 2022 (17.12/17.14) or 2026 (18.7) update; the exact patched build numbers are listed in the MSRC guide. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all production systems running .NET 8.0, 9.0, or 10.0, and catalog Visual Studio 2022/2026 installations used for application development. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47303 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-50528 HIGH
8.2 Jul 14

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve

CVE-2026-32203 HIGH
7.5 Apr 14

Denial of service via stack buffer overflow in .NET (versions 8.0, 9.0, 10.0) and Visual Studio 2022 (versions 17.12, 17

CVE-2026-32178 HIGH
7.5 Apr 14

Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers

CVE-2026-50648 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote una

Share

CVE-2026-50651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy