Description
Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.
Published: 2026-04-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Improper input validation in the .NET Framework enables an unauthorized attacker to trigger a denial of service over a network. This flaw can cause application processes to terminate or become unresponsive, resulting in loss of availability and potential interruption to user tasks. The issue is mapped to CWE-366 (Race Condition) and CWE-755 (Unsafe or Insecure Synchronization Mechanism), reflecting the underlying synchronization weaknesses that surface during input handling.)

Affected Systems

The flaw affects multiple Microsoft .NET Framework releases, including versions 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, and 4.8.1. Any system that hosts applications built on these framework versions could be impacted, especially where network exposure is possible.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is <1%, indicating a very low but non‑zero exploitation probability. The attack vector is inferred to be network‑based, as the description references denial of service over a network. The vulnerability is not listed in the CISA KEV catalog yet, but the high CVSS and potential for remote exploitation warrant prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 02:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for the .NET Framework from Microsoft’s update guide
  • If the patch cannot be applied immediately, restrict network access to the vulnerable components to prevent exploitation until the update is installed
  • Monitor system logs and application performance for signs of service hangs or high CPU usage that could indicate exploitation attempts

Generated by OpenCVE AI on April 16, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012
Microsoft windows Server 2022
Microsoft windows Server 2022 23h2
Microsoft windows Server 2025
CPEs cpe:2.3:a:microsoft:.net_framework:3.5:-:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:4.7.1:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:4.7.2:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:4.7:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:4.8.1:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:4.8:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24h2:-:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_24h2:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_25h2:-:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25h2:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_26h1:-:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26h1:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2025:-:*:*:*:*:*:x64:*
Vendors & Products Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012
Microsoft windows Server 2022
Microsoft windows Server 2022 23h2
Microsoft windows Server 2025

Wed, 15 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network. Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft .net Framework
Vendors & Products Microsoft .net Framework

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network.
Title .NET Framework Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft .net
Weaknesses CWE-755
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C'}

Subscriptions

Microsoft .net .net Framework Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 22h2 Windows 11 22h2 Windows 11 23h2 Windows 11 24h2 Windows 11 25h2 Windows 11 26h1 Windows Server 2012 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-30T14:41:48.509Z

Reserved: 2026-01-14T16:59:33.464Z

Link: CVE-2026-23666

cve-icon Vulnrichment

Updated: 2026-04-15T13:41:03.726Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:44.507

Modified: 2026-05-07T19:46:16.750

Link: CVE-2026-23666

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-14T16:57:53Z

Links: CVE-2026-23666 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses