CoreWCF NetNamedPipe CVE-2026-54777
MEDIUMSeverity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Local attack vector and race condition timing requirement justify AV:L/AC:H; shared memory read access requires low privileges; full traffic interception yields C:H/I:H with minor availability disruption.
Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).
CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Impact
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be using and saves this to the shared memory object. Then it creates the named pipe to listen for clients. This requires an attacker to race the service and create the named pipe between the service publishing the GUID to the shared memory location (which the attacker needs to read) and the service creating the named pipe itself.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
AnalysisAI
Local named pipe interception in CoreWCF.NetNamedPipe allows an authenticated local attacker to hijack WCF inter-process communication by winning a TOCTOU race condition. Affected versions expose a window between GUID publication to shared memory and named pipe creation, during which an attacker can pre-create the pipe and silently intercept or manipulate all NetNamedPipe transport traffic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) local access to the target system with at least low-privileged OS user credentials (PR:L - the attacker must be able to read shared memory objects and create named pipes, which are standard low-privilege capabilities on Windows); (2) the target application must use CoreWCF.NetNamedPipe transport specifically - other CoreWCF transports are unaffected; (3) the attacker must time the race window between the service's GUID publication to shared memory and its named pipe creation - this is inherently probabilistic and may require multiple attempts (AC:H); (4) the attacker must know or monitor for the listening URL used by the target CoreWCF service, as the shared memory key is derived from it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L accurately reflects the constrained but meaningful risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged local user on the same host as a CoreWCF service using NetNamedPipe transport monitors the shared memory namespace for URLs registered by the service, reads the GUID written during service startup, and immediately attempts to create a named pipe with that GUID before the CoreWCF service does. If the race is won, all subsequent client connections to that service are transparently handled by the attacker's pipe instance, allowing interception and potential modification of all WCF messages. … |
| Remediation | Vendor-released patches are available: upgrade CoreWCF.NetNamedPipe to version 1.8.1 (for applications on the 1.x stable branch) or version 1.9.1 (for applications on the 1.9.x branch). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6jj2-4q5c-x8g6