Description
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Published: 2026-03-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability in ASP.NET Core is caused by the allocation of resources without limits or throttling, which allows an unauthorized attacker to deny service over a network. This creates a high‑impact denial of service scenario stemming from a resource exhaustion weakness identified as CWE‑770.

Affected Systems

Affected products are Microsoft ASP.NET Core 8.0, 9.0, and 10.0. The flaw applies to all these framework versions and, by extension, any web applications built on them that do not implement their own resource limits.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of 2% suggests a relatively low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would occur remotely via the network, where an attacker sends crafted requests to the application, causing sustained resource consumption that leads to service unavailability. No specific authentication or privileged access is required, and the attack vector requires only network connectivity to the vulnerable endpoints.

Generated by OpenCVE AI on March 17, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest security update for Microsoft ASP.NET Core 8.0, 9.0, and 10.0 from Microsoft’s update guide.
  • If a patch is not yet available, configure application or server‑level resource limits or enable throttling to reduce the impact of potential DoS attacks.
  • As a temporary countermeasure, filter or block traffic to the vulnerable endpoints using a firewall or Web Application Firewall and monitor application performance for signs of resource exhaustion.

Generated by OpenCVE AI on March 17, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4vgm-c2wm-63mw .NET Denial of Service Vulnerability
Ubuntu USN Ubuntu USN USN-8085-1 .NET vulnerabilities
History

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.1
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Title ASP.NET Core Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft asp.net Core
Weaknesses CWE-770
CPEs cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft asp.net Core
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Asp.net Core
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:33:18.746Z

Reserved: 2026-02-11T15:52:13.912Z

Link: CVE-2026-26130

cve-icon Vulnrichment

Updated: 2026-03-10T19:49:33.089Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:42.223

Modified: 2026-04-02T13:58:49.900

Link: CVE-2026-26130

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T17:05:22Z

Links: CVE-2026-26130 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:00Z

Weaknesses