Skip to main content

.NET EUVDEUVD-2026-44394

| CVE-2026-50526 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-07-14 microsoft
7.0
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
6.5 MEDIUM

Local low-priv attacker winning a symlink TOCTOU race (AV:L/AC:H/PR:L); description emphasizes tampering so I:H/A:H, with only limited confidentiality (C:L) since impact is redirected file writes.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:45 vuln.today
CVE Published
Jul 14, 2026 - 19:29 nvd
HIGH 7.0

DescriptionCVE.org

Improper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally.

AnalysisAI

Local tampering via symbolic-link following in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the bundled toolchain in Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) allows an authorized local attacker to redirect a privileged file operation to an unintended target, corrupting or replacing files outside their normal permissions. Microsoft (the reporter) has released a fix; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local account
Delivery
Stage symlink/junction on target path
Exploit
Trigger privileged .NET or build file operation
Execution
Win TOCTOU race to redirect write
Persist
Tamper with or overwrite protected file
Impact
Leverage for escalation or integrity loss

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already have a low-privileged authenticated local account (PR:L) on the machine running the affected .NET runtime/SDK or Visual Studio, and the ability to create symbolic/hard links or junctions on the target filesystem (on Windows, symlink creation is privileged by default, which is a meaningful limiter). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.0) describes a locally exploitable flaw needing an already-authenticated low-privileged user and a hard-to-win race (AC:H), but full high impact to confidentiality, integrity, and availability once won. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user on a shared build server or multi-tenant host pre-plants a symbolic link (or wins a race by swapping a directory for a link) at a path that a higher-privileged .NET or Visual Studio build operation is about to write to, causing that trusted process to overwrite or create a file at an attacker-controlled location. Because the race is timing-sensitive (AC:H) the attacker may need many attempts, but success can corrupt sensitive files or plant content used for later privilege escalation. …
Remediation Patch available per vendor advisory: apply the Microsoft update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50526, which covers the affected .NET 8.0/9.0/10.0 runtimes and SDKs and the Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) packages - the exact fixed version numbers are enumerated in that advisory and should be pulled from there rather than assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit deployments of .NET 8.0, 9.0, and 10.0, and Visual Studio 2022 (versions 17.12, 17.14) and 2026 (version 18.7) to identify affected systems, prioritizing build servers and CI/CD environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33116 HIGH POC
7.5 Apr 14

Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a

CVE-2026-26171 HIGH POC
7.5 Apr 14

Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex

CVE-2026-42899 HIGH POC
7.5 May 12

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o

CVE-2026-35433 HIGH POC
7.3 May 12

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

CVE-2026-32177 HIGH POC
7.3 May 12

Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through

CVE-2026-47303 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-47300 HIGH
8.8 Jul 14

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged

CVE-2026-32175 MEDIUM POC
4.3 May 12

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully

CVE-2026-50528 HIGH
8.2 Jul 14

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve

CVE-2026-57108 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or

CVE-2026-47302 HIGH
7.5 Jul 14

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo

CVE-2026-56170 HIGH
7.5 Jul 14

Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticate

Share

EUVD-2026-44394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy