Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, low-complexity, unauthenticated input-validation DoS with no user interaction; impact limited to availability, so C:N/I:N/A:H and S:U.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network.
AnalysisAI
Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to crash or hang the runtime by sending crafted input that fails proper type validation (CWE-1287). The flaw carries a CVSS 7.5 rating driven entirely by availability impact (A:H) with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation over the network against a .NET application that processes attacker-supplied input through the affected type-validation path (CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mostly consistent and point to a moderate-priority DoS rather than a critical breach: the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a network-reachable, low-complexity, unauthenticated attack with no user interaction, but the impact is confined to availability - no data disclosure or code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a specially crafted network request containing input whose type or structure is not properly validated to a public-facing ASP.NET Core service running an affected .NET version. The malformed input reaches the vulnerable parsing path, throws an unhandled error or exhausts resources, and crashes or hangs the worker process, taking the service offline for legitimate users. … |
| Remediation | Patch available per vendor advisory: apply the Microsoft update for the affected .NET release train (8.0, 9.0, or 10.0) and update Visual Studio 2022 (17.12/17.14) and Visual Studio 2026 (18.7) to their patched builds as listed in the MSRC guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50524; exact fixed version numbers are not included in the provided data and should be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and document all systems running Microsoft .NET versions 8.0, 9.0, or 10.0, prioritizing internet-facing applications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully
Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo
Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticate
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44392