Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, unauthenticated, low-complexity DoS with availability-only impact; no confidentiality or integrity loss, matching the buffer-overflow-to-crash behavior.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Stack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network.
AnalysisAI
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and .NET Framework (3.5 through 4.8.1) allows a remote, unauthenticated attacker to crash affected applications by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw impacts availability only - there is no confidentiality or integrity loss and no code execution per the CVSS vector (A:H, C:N, I:N). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no special conditions are required beyond network reachability - remote unauthenticated exploitation is possible against affected .NET and .NET Framework applications that process attacker-supplied input over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a network-reachable, low-complexity, unauthenticated attack whose entire severity comes from availability impact - this is a pure DoS, not an RCE, despite the buffer-overflow root cause. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a specially crafted network request or malformed input to an internet-exposed .NET or ASP.NET service, overflowing a fixed-size stack buffer during parsing and crashing the worker process. Repeating the request keeps the service offline, producing a denial of service against any consumers of that application. … |
| Remediation | Patch available per vendor advisory: apply the latest Microsoft security updates for the affected .NET runtime and .NET Framework versions as published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50527, and update Visual Studio 2022 (17.12/17.14) and Visual Studio 2026 (18.7) to the servicing releases that bundle the fixed components. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit your infrastructure for instances of Microsoft .NET 8.0, 9.0, 10.0 or .NET Framework 3.5-4.8.1 and consult the Microsoft security advisory referenced in CVE-2026-50527. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 a
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to ex
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service o
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully
Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumve
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allo
Denial of service in ASP.NET Core (the web framework shipped with .NET 8.0, 9.0, and 10.0) lets a remote, unauthenticate
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44395