CVE-2026-26127 - Vulnerability Details

Description

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

Published: 2026-03-10

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An out‑of‑bounds read occurs within the .NET framework, permitting an attacker to trigger a denial‑of‑service condition. The vulnerability is classified as CWE‑125 and allows an unauthorized external actor to interrupt service over a network connection, potentially disrupting application availability.

Affected Systems

Affected components include Microsoft .NET 10.0, Microsoft .NET 9.0 and Microsoft Bcl.Memory. The vulnerability is present in these runtime environments as indicated by the vendor product list and the corresponding CPE identifiers. Systems running these .NET versions may also be impacted when using the Bcl.Memory library.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1 % shows a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to send specially crafted input to the .NET runtime over the network, which is likely if the affected application is exposed to external traffic. The risk remains moderate‑high until a patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

.NET 10.0

affected

Version	Status	Constraints
`10.0.0`	affected	< 10.0.4

Microsoft

.NET 9.0

affected

Version	Status	Constraints
`9.0.0`	affected	< 9.0.14

Microsoft

Microsoft.Bcl.Memory

affected

Version	Status	Constraints
`10.0.0`	affected	< 10.0.4

Microsoft

Microsoft.Bcl.Memory

affected

Version	Status	Constraints
`9.0.0`	affected	< 9.0.14

Configuration 1 [-]

AND

cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:microsoft:bcl.memory::::::::
	cpe:2.3:a:microsoft:bcl.memory::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
dotnet9.0-0:9.0.115-1.el10_1	cpe:/o:redhat:enterprise_linux:10.1	RHSA-2026:4450	2026-03-12T00:00:00Z
dotnet10.0-0:10.0.104-1.el10_1	cpe:/o:redhat:enterprise_linux:10.1	RHSA-2026:4453	2026-03-12T00:00:00Z
Red Hat Enterprise Linux 8
dotnet9.0-0:9.0.115-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2026:4443	2026-03-12T00:00:00Z
dotnet10.0-0:10.0.104-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2026:4458	2026-03-12T00:00:00Z
Red Hat Enterprise Linux 9
dotnet10.0-0:10.0.104-1.el9_7	cpe:/a:redhat:enterprise_linux:9	RHSA-2026:4445	2026-03-12T00:00:00Z
dotnet9.0-0:9.0.115-1.el9_7	cpe:/a:redhat:enterprise_linux:9	RHSA-2026:4456	2026-03-12T00:00:00Z

Vendor Product Confidence Versions

Microsoft

.net

95%

Version	Status	Scheme	Platform
`[10.0.0,10.0.4)`	affected	semver	—

Microsoft

.net

95%

Version	Status	Scheme	Platform
`[9.0.0,9.0.14)`	affected	semver	—

Microsoft

Bcl Memory

80%

Version	Status	Scheme	Platform
`[10.0.0,10.0.4)`	affected	semver	—

Microsoft

Bcl Memory

80%

Version	Status	Scheme	Platform
`[9.0.0,9.0.14)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Confirm that your operating system is running Microsoft .NET 10.0 or 9.0 with the latest security updates.
Check the Microsoft Security Update Guide for a patch that addresses CVE‑2026‑26127 and apply it as soon as it is available.
If immediate patching is infeasible, restrict network access to the vulnerable application using firewall rules or a bastion host.

Generated by OpenCVE AI on March 16, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-73j8-2gch-69rq	.NET Denial of Service Vulnerability
Ubuntu USN	USN-8085-1	.NET vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127
https://nvd.nist.gov/vuln/detail/CVE-2026-26127
https://www.cve.org/CVERecord?id=CVE-2026-26127

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft bcl.memory Microsoft windows
CPEs		cpe:2.3:a:microsoft:bcl.memory:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft bcl.memory Microsoft windows

Fri, 13 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:10.1
Vendors & Products		Redhat Redhat enterprise Linux
References		https://nvd.nist.gov/vuln/detail/CVE-2026-26127 https://www.cve.org/CVERecord?id=CVE-2026-26127
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft bcl Memory
Vendors & Products		Microsoft bcl Memory

Tue, 10 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.
Title		.NET Denial of Service Vulnerability
First Time appeared		Microsoft Microsoft .net Microsoft bcl Memory
Weaknesses		CWE-125
CPEs		cpe:2.3:a:microsoft:.net:::::::: cpe:2.3:a:microsoft:Bcl_memory::::::::
Vendors & Products		Microsoft Microsoft .net Microsoft bcl Memory
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Apple Macos

Linux Linux Kernel

Microsoft .net Bcl Memory Bcl.memory Bcl Memory Windows

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-03-10T17:05:10.752Z

Updated: 2026-03-27T22:33:01.428Z

Reserved: 2026-02-11T15:52:13.912Z

Link: CVE-2026-26127

Vulnrichment

Updated: 2026-03-10T18:01:22.602Z

NVD

Status : Analyzed

Published: 2026-03-10T18:18:41.713

Modified: 2026-04-01T20:22:46.643

Link: CVE-2026-26127

Redhat

Severity : Moderate

Publid Date: 2026-03-10T17:05:10Z

Links: CVE-2026-26127 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-20T14:34:13Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object