Skip to main content

CoreWCF CVE-2026-54772

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-p86g-xrr2-pf7c
7.5
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable framing endpoint, no auth or user interaction, trivial to send malformed preamble; only availability is impacted, with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:29 vuln.today
Analysis Generated
Jun 19, 2026 - 21:29 vuln.today

DescriptionCVE.org

Impact

An unauthenticated remote attacker can pin one server thread‑pool worker at 100 % CPU per connection. With a few connections, the CPU usage can be exhausted.

Preconditions

An attacker being able to reach a service which is exposing an endpoint using one of NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

AnalysisAI

Denial of service in CoreWCF net.tcp, net.pipe, and net.uds framing handshake allows unauthenticated remote attackers to pin a server thread-pool worker at 100% CPU per TCP connection, exhausting CPU resources with only a small number of concurrent connections. Affects CoreWCF.NetFramingBase versions below 1.8.1 and 1.9.0 through 1.9.0, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed net.tcp/net.pipe/net.uds endpoint
Delivery
Open TCP/IPC connection to listener
Exploit
Send crafted framing handshake preamble
Install
Trigger non-terminating loop in framing parser
C2
Pin thread-pool worker at 100% CPU
Execute
Repeat across a few connections
Impact
Exhaust CPU and deny service

Vulnerability AssessmentAI

Exploitation The target must be a CoreWCF service hosting at least one endpoint bound to NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding, and the attacker must be able to open a connection to that binding's listener - typically the configured net.tcp port for NetTcpBinding, or the named pipe / Unix domain socket path for the IPC bindings. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects a network-reachable, low-complexity, fully unauthenticated availability-only attack - exactly the profile of a cheap DoS primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to a CoreWCF service exposing a NetTcpBinding endpoint opens a few TCP connections and sends a crafted framing preamble that drives the handshake parser into a non-terminating loop. Each connection permanently consumes one thread-pool worker at 100% CPU, and within a handful of connections the service stops processing legitimate requests until it is restarted. …
Remediation Vendor-released patch: upgrade CoreWCF.NetFramingBase to 1.8.1 on the 1.8.x line or 1.9.1 on the 1.9.x line, per the GitHub Security Advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-p86g-xrr2-pf7c. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all systems running CoreWCF.NetFramingBase <1.8.1; classify by business criticality and network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54772 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy