Skip to main content

.NET EUVDEUVD-2026-44392

| CVE-2026-50524 HIGH
Improper Validation of Specified Type of Input (CWE-1287)
2026-07-14 microsoft
7.5
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.5 HIGH

Network-reachable, low-complexity, unauthenticated input-validation DoS with no user interaction; impact limited to availability, so C:N/I:N/A:H and S:U.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:45 vuln.today
CVE Published
Jul 14, 2026 - 19:29 nvd
HIGH 7.5

DescriptionCVE.org

Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network.

AnalysisAI

Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to crash or hang the runtime by sending crafted input that fails proper type validation (CWE-1287). The flaw carries a CVSS 7.5 rating driven entirely by availability impact (A:H) with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed .NET endpoint
Delivery
Send crafted mistyped input
Exploit
Bypass improper type validation
Execution
Trigger unhandled error or resource exhaustion
Persist
Crash or hang service
Impact
Denial of service for users

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation over the network against a .NET application that processes attacker-supplied input through the affected type-validation path (CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mostly consistent and point to a moderate-priority DoS rather than a critical breach: the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a network-reachable, low-complexity, unauthenticated attack with no user interaction, but the impact is confined to availability - no data disclosure or code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a specially crafted network request containing input whose type or structure is not properly validated to a public-facing ASP.NET Core service running an affected .NET version. The malformed input reaches the vulnerable parsing path, throws an unhandled error or exhausts resources, and crashes or hangs the worker process, taking the service offline for legitimate users. …
Remediation Patch available per vendor advisory: apply the Microsoft update for the affected .NET release train (8.0, 9.0, or 10.0) and update Visual Studio 2022 (17.12/17.14) and Visual Studio 2026 (18.7) to their patched builds as listed in the MSRC guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50524; exact fixed version numbers are not included in the provided data and should be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and document all systems running Microsoft .NET versions 8.0, 9.0, or 10.0, prioritizing internet-facing applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47303 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-50528 HIGH
8.2 Jul 14

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve

CVE-2026-57108 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or

CVE-2026-47302 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo

CVE-2026-56170 HIGH
7.5 Jul 14

Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticate

Share

EUVD-2026-44392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy