Skip to main content

ASP.NET Core EUVDEUVD-2026-44045

| CVE-2026-56170 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-14 microsoft
7.5
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.5 HIGH

Remotely reachable HTTP framework flaw needing no auth or interaction (AV:N/AC:L/PR:N/UI:N), causing availability loss only (A:H) with no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 17:53 vuln.today
CVE Published
Jul 14, 2026 - 17:05 nvd
HIGH 7.5

DescriptionCVE.org

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

AnalysisAI

Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker exhaust server resources by triggering unbounded allocations over the network. Because affected requests are not throttled or capped, a single crafted request stream can degrade availability of the hosting process without any authentication or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed ASP.NET Core endpoint
Delivery
Send crafted/high-volume requests
Exploit
Trigger unbounded resource allocation
Execution
Exhaust memory or connection pool
Impact
Deny service to legitimate users

Vulnerability AssessmentAI

Exploitation The application must be an ASP.NET Core service on .NET 8.0, 9.0, or 10.0 that is network-reachable by the attacker, and the vulnerable request-handling path must be exposed (typically any HTTP endpoint served by the affected framework). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base is 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - network-reachable, low complexity, no privileges, no user interaction, and a pure availability impact (no confidentiality or integrity loss). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an internet-facing ASP.NET Core application sends a stream of crafted requests that each force the framework to allocate resources without any enforced cap, rapidly driving memory or thread/connection exhaustion until the process becomes unresponsive or crashes. No authentication, credentials, or user interaction is required (PR:N/UI:N), so the attack can be scripted against any exposed endpoint; no public exploit identified at time of analysis.
Remediation Patch available per vendor advisory - apply the updated .NET 8.0, 9.0, or 10.0 runtime/SDK builds published in Microsoft's Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56170, then rebuild/redeploy applications or update the shared framework on hosts and restart the affected ASP.NET Core processes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all systems running ASP.NET Core on .NET 8.0, 9.0, or 10.0, prioritizing internet-facing and business-critical applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47303 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-50528 HIGH
8.2 Jul 14

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve

CVE-2026-57108 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or

CVE-2026-47302 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo

CVE-2026-50524 HIGH
7.5 Jul 14

Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to c

Share

EUVD-2026-44045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy