CoreWCF CVE-2026-54772
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable framing endpoint, no auth or user interaction, trivial to send malformed preamble; only availability is impacted, with no confidentiality or integrity effect.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Impact
An unauthenticated remote attacker can pin one server thread‑pool worker at 100 % CPU per connection. With a few connections, the CPU usage can be exhausted.
Preconditions
An attacker being able to reach a service which is exposing an endpoint using one of NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
AnalysisAI
Denial of service in CoreWCF net.tcp, net.pipe, and net.uds framing handshake allows unauthenticated remote attackers to pin a server thread-pool worker at 100% CPU per TCP connection, exhausting CPU resources with only a small number of concurrent connections. Affects CoreWCF.NetFramingBase versions below 1.8.1 and 1.9.0 through 1.9.0, with no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be a CoreWCF service hosting at least one endpoint bound to NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding, and the attacker must be able to open a connection to that binding's listener - typically the configured net.tcp port for NetTcpBinding, or the named pipe / Unix domain socket path for the IPC bindings. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects a network-reachable, low-complexity, fully unauthenticated availability-only attack - exactly the profile of a cheap DoS primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reach to a CoreWCF service exposing a NetTcpBinding endpoint opens a few TCP connections and sends a crafted framing preamble that drives the handshake parser into a non-terminating loop. Each connection permanently consumes one thread-pool worker at 100% CPU, and within a handful of connections the service stops processing legitimate requests until it is restarted. … |
| Remediation | Vendor-released patch: upgrade CoreWCF.NetFramingBase to 1.8.1 on the 1.8.x line or 1.9.1 on the 1.9.x line, per the GitHub Security Advisory at https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-p86g-xrr2-pf7c. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all systems running CoreWCF.NetFramingBase <1.8.1; classify by business criticality and network exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p86g-xrr2-pf7c