CVE-2026-26127 - Vulnerability Details

Description

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

Published: 2026-03-10

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker to trigger an out‑of‑bounds read in the .NET runtime, resulting in a denial of service that can be exercised over a network. The weakness is classified as CWE‑125 and can cause the affected application to crash or become unresponsive, disrupting availability for legitimate users.

Affected Systems

The flaw affects Microsoft .NET 9.0 and 10.0, as well as the Microsoft Bcl.Memory library. Systems running these components on Windows, Linux, macOS, or in cloud environments such as Red Hat Enterprise Linux 8/9/10.1 are potentially vulnerable. Any application that loads the affected .NET framework or library is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests a low probability of being actively exploited. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote network attacker sending a crafted exploit to the vulnerable .NET component; local privilege is not required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

.NET 10.0

affected

Version	Status	Constraints
`10.0.0`	affected	< 10.0.4

Microsoft

.NET 9.0

affected

Version	Status	Constraints
`9.0.0`	affected	< 9.0.14

Microsoft

Microsoft.Bcl.Memory

affected

Version	Status	Constraints
`10.0.0`	affected	< 10.0.4

Microsoft

Microsoft.Bcl.Memory

affected

Version	Status	Constraints
`9.0.0`	affected	< 9.0.14

Configuration 1 [-]

AND

cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:microsoft:bcl.memory::::::::
	cpe:2.3:a:microsoft:bcl.memory::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
dotnet9.0-0:9.0.115-1.el10_1	cpe:/o:redhat:enterprise_linux:10.1	RHSA-2026:4450	2026-03-12T00:00:00Z
dotnet10.0-0:10.0.104-1.el10_1	cpe:/o:redhat:enterprise_linux:10.1	RHSA-2026:4453	2026-03-12T00:00:00Z
Red Hat Enterprise Linux 8
dotnet9.0-0:9.0.115-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2026:4443	2026-03-12T00:00:00Z
dotnet10.0-0:10.0.104-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2026:4458	2026-03-12T00:00:00Z
Red Hat Enterprise Linux 9
dotnet10.0-0:10.0.104-1.el9_7	cpe:/a:redhat:enterprise_linux:9	RHSA-2026:4445	2026-03-12T00:00:00Z
dotnet9.0-0:9.0.115-1.el9_7	cpe:/a:redhat:enterprise_linux:9	RHSA-2026:4456	2026-03-12T00:00:00Z

Vendor Product Confidence Versions

Microsoft

.net

95%

Version	Status	Scheme	Platform
`[10.0.0,10.0.4)`	affected	semver	—

Microsoft

.net

95%

Version	Status	Scheme	Platform
`[9.0.0,9.0.14)`	affected	semver	—

Microsoft

Bcl Memory

80%

Version	Status	Scheme	Platform
`[10.0.0,10.0.4)`	affected	semver	—

Microsoft

Bcl Memory

80%

Version	Status	Scheme	Platform
`[9.0.0,9.0.14)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the Microsoft security update for the vulnerable .NET version as per the MSRC advisory
Verify the installed version is the patched one
Restart any services that depend on .NET to ensure the update takes effect
Monitor application logs for any remaining out‑of‑bounds read errors or crashes

Generated by OpenCVE AI on April 2, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-73j8-2gch-69rq	.NET Denial of Service Vulnerability
Ubuntu USN	USN-8085-1	.NET vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127
https://nvd.nist.gov/vuln/detail/CVE-2026-26127
https://www.cve.org/CVERecord?id=CVE-2026-26127

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft bcl.memory Microsoft windows
CPEs		cpe:2.3:a:microsoft:bcl.memory:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft bcl.memory Microsoft windows

Fri, 13 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:10.1
Vendors & Products		Redhat Redhat enterprise Linux
References		https://nvd.nist.gov/vuln/detail/CVE-2026-26127 https://www.cve.org/CVERecord?id=CVE-2026-26127
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft bcl Memory
Vendors & Products		Microsoft bcl Memory

Tue, 10 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.
Title		.NET Denial of Service Vulnerability
First Time appeared		Microsoft Microsoft .net Microsoft bcl Memory
Weaknesses		CWE-125
CPEs		cpe:2.3:a:microsoft:.net:::::::: cpe:2.3:a:microsoft:Bcl_memory::::::::
Vendors & Products		Microsoft Microsoft .net Microsoft bcl Memory
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Apple Macos

Linux Linux Kernel

Microsoft .net Bcl Memory Bcl.memory Bcl Memory Windows

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-03-10T17:05:10.752Z

Updated: 2026-03-27T22:33:01.428Z

Reserved: 2026-02-11T15:52:13.912Z

Link: CVE-2026-26127

Vulnrichment

Updated: 2026-03-10T18:01:22.602Z

NVD

Status : Analyzed

Published: 2026-03-10T18:18:41.713

Modified: 2026-04-01T20:22:46.643

Link: CVE-2026-26127

Redhat

Severity : Moderate

Publid Date: 2026-03-10T17:05:10Z

Links: CVE-2026-26127 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T08:00:22Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object