Description
Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

Incorrect default permissions in Microsoft .NET 10.0 enable an attacker who already has authorized local access to increase their privileges. The flaw is mapped to CWE‑276, Incorrect Access Control. The result is that the attacker can perform actions reserved for higher‑privilege users, but the description does not specify broader consequences such as arbitrary code execution.

Affected Systems

The vulnerability affects installations of Microsoft .NET 10.0. No sub‑version details are supplied, so any .NET 10.0 deployment may be vulnerable. Although the Common Platform Enumeration list mentions Linux kernel, the CVE description does not associate the flaw with Linux products.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity level, while the EPSS score of less than 1 percent suggests that exploitation is currently unlikely. The vulnerability is not included in the CISA KEV catalog, implying no widespread coordinated attacks are documented. A local attacker with legitimate access would need to exploit the incorrect permission setting to raise their privileges.

Generated by OpenCVE AI on April 2, 2026 at 05:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest Microsoft .NET 10.0 update that resolves the permission configuration issue.
  • Confirm that default permission settings for .NET components are correctly applied after the update.
  • If an update is not yet available, configure the application to run with the minimum permissions required for its operation.
  • Continuously monitor system logs for attempts to modify permissions or perform actions outside normal user scope.

Generated by OpenCVE AI on April 2, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-crjq-wm6x-6qx7 .NET Elevation of Privilege Vulnerability
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally.
Title .NET Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft .net
Weaknesses CWE-276
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Linux Linux Kernel
Microsoft .net
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-14T16:36:13.962Z

Reserved: 2026-02-11T16:24:51.132Z

Link: CVE-2026-26131

cve-icon Vulnrichment

Updated: 2026-03-11T13:02:09.794Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:42.393

Modified: 2026-04-01T20:23:21.930

Link: CVE-2026-26131

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T17:05:09Z

Links: CVE-2026-26131 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T08:00:23Z

Weaknesses