Skip to main content

CoreWCF NetNamedPipe CVE-2026-54777

MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-19 https://github.com/CoreWCF/CoreWCF GHSA-6jj2-4q5c-x8g6
6.5
CVSS 3.1 · Vendor: https://github.com/CoreWCF/CoreWCF
Share

Severity by source

Vendor (https://github.com/CoreWCF/CoreWCF) PRIMARY
6.5 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
6.5 MEDIUM

Local attack vector and race condition timing requirement justify AV:L/AC:H; shared memory read access requires low privileges; full traffic interception yields C:H/I:H with minor availability disruption.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CoreWCF/CoreWCF).

CVSS VectorVendor: https://github.com/CoreWCF/CoreWCF

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:49 vuln.today
Analysis Generated
Jun 19, 2026 - 21:49 vuln.today

DescriptionCVE.org

Impact

CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be using and saves this to the shared memory object. Then it creates the named pipe to listen for clients. This requires an attacker to race the service and create the named pipe between the service publishing the GUID to the shared memory location (which the attacker needs to read) and the service creating the named pipe itself.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

AnalysisAI

Local named pipe interception in CoreWCF.NetNamedPipe allows an authenticated local attacker to hijack WCF inter-process communication by winning a TOCTOU race condition. Affected versions expose a window between GUID publication to shared memory and named pipe creation, during which an attacker can pre-create the pipe and silently intercept or manipulate all NetNamedPipe transport traffic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privilege local access
Delivery
Identify CoreWCF NetNamedPipe service URL
Exploit
Read GUID from shared memory object
Execution
Race service: create named pipe with stolen GUID
Persist
Service attaches to attacker-controlled pipe
Impact
Intercept and optionally modify WCF traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) local access to the target system with at least low-privileged OS user credentials (PR:L - the attacker must be able to read shared memory objects and create named pipes, which are standard low-privilege capabilities on Windows); (2) the target application must use CoreWCF.NetNamedPipe transport specifically - other CoreWCF transports are unaffected; (3) the attacker must time the race window between the service's GUID publication to shared memory and its named pipe creation - this is inherently probabilistic and may require multiple attempts (AC:H); (4) the attacker must know or monitor for the listening URL used by the target CoreWCF service, as the shared memory key is derived from it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L accurately reflects the constrained but meaningful risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged local user on the same host as a CoreWCF service using NetNamedPipe transport monitors the shared memory namespace for URLs registered by the service, reads the GUID written during service startup, and immediately attempts to create a named pipe with that GUID before the CoreWCF service does. If the race is won, all subsequent client connections to that service are transparently handled by the attacker's pipe instance, allowing interception and potential modification of all WCF messages. …
Remediation Vendor-released patches are available: upgrade CoreWCF.NetNamedPipe to version 1.8.1 (for applications on the 1.x stable branch) or version 1.9.1 (for applications on the 1.9.x branch). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy