Description
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Published: 2026-03-10
Score: 7.5 High
EPSS: 2.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in ASP.NET Core stems from an uncontrolled allocation of system resources without limits or throttling, exposing a resource exhaustion weakness classified as CWE-770. This allows an unauthenticated external actor to consume memory or other key resources, ultimately disrupting application responsiveness and availability.

Affected Systems

The affected products are Microsoft ASP.NET Core runtime versions 8.0, 9.0, and 10.0, as well as any web applications that run on these framework versions. The Common Platform Enumeration indicates that environments such as Red Hat Enterprise Linux 8, 9, and 10.1 can host the vulnerable runtime. The vulnerability applies to all listed framework releases where developer-supplied resource limits are not in place.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity level, while an EPSS of 3% indicates a moderately low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation is possible remotely via the network; an attacker can send crafted HTTP requests targeting the vulnerable application to trigger sustained resource consumption until the application or hosting server becomes unresponsive. No authentication or privileged access is required, and the attack vector relies solely on network connectivity to the affected endpoints. Based on the description, it is inferred that the attacker can achieve this without needing to compromise the underlying OS or enterprise environment. The deficiency also implies that any application built on the affected ASP.NET Core versions that does not impose its own resource controls is also at risk.

Generated by OpenCVE AI on June 30, 2026 at 16:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update from Microsoft for ASP.NET Core 8.0, 9.0, or 10.0 via the Microsoft Update guide, ensuring that the version you install contains the fix for CVE‑2026‑26130.
  • If a patch has not yet been released, configure application‑level or server‑level resource limits and enable throttling to protect against resource exhaustion. This can be done by setting memory quotas or request rate limits in the ASP.NET Core configuration or web server settings.
  • As an interim countermeasure, use a firewall or web application firewall to filter or block traffic to the vulnerable endpoints, and monitor application performance for signs of resource exhaustion.

Generated by OpenCVE AI on June 30, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4vgm-c2wm-63mw .NET Denial of Service Vulnerability
Ubuntu USN Ubuntu USN USN-8085-1 .NET vulnerabilities
History

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.1
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

threat_severity

Important


Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Title ASP.NET Core Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft asp.net Core
Weaknesses CWE-770
CPEs cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft asp.net Core
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Asp.net Core
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-30T12:08:12.848Z

Reserved: 2026-02-11T15:52:13.912Z

Link: CVE-2026-26130

cve-icon Vulnrichment

Updated: 2026-06-30T02:42:58.871Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:42.223

Modified: 2026-06-17T10:25:46.670

Link: CVE-2026-26130

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T17:05:22Z

Links: CVE-2026-26130 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling