Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remotely reachable HTTP framework flaw needing no auth or interaction (AV:N/AC:L/PR:N/UI:N), causing availability loss only (A:H) with no confidentiality or integrity impact.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
AnalysisAI
Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker exhaust server resources by triggering unbounded allocations over the network. Because affected requests are not throttled or capped, a single crafted request stream can degrade availability of the hosting process without any authentication or user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The application must be an ASP.NET Core service on .NET 8.0, 9.0, or 10.0 that is network-reachable by the attacker, and the vulnerable request-handling path must be exposed (typically any HTTP endpoint served by the affected framework). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base is 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - network-reachable, low complexity, no privileges, no user interaction, and a pure availability impact (no confidentiality or integrity loss). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an internet-facing ASP.NET Core application sends a stream of crafted requests that each force the framework to allocate resources without any enforced cap, rapidly driving memory or thread/connection exhaustion until the process becomes unresponsive or crashes. No authentication, credentials, or user interaction is required (PR:N/UI:N), so the attack can be scripted against any exposed endpoint; no public exploit identified at time of analysis. |
| Remediation | Patch available per vendor advisory - apply the updated .NET 8.0, 9.0, or 10.0 runtime/SDK builds published in Microsoft's Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56170, then rebuild/redeploy applications or update the shared framework on hosts and restart the affected ASP.NET Core processes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and inventory all systems running ASP.NET Core on .NET 8.0, 9.0, or 10.0, prioritizing internet-facing and business-critical applications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully
Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo
Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to c
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44045