Description
Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
Published: 2026-04-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

This flaw is an uncontrolled resource consumption vulnerability in Microsoft .NET. It enables an unauthorized remote attacker to trigger excessive resource usage, exhausting memory or CPU, which in turn can cause the affected application or the entire system to become unresponsive. The weakness maps to CWE-400 (Uncontrolled Resource Consumption), CWE-611 (XML External Entity), and CWE-776 (Resource Exhaustion via Improper Management).

Affected Systems

Microsoft .NET 10.0, 9.0, and 8.0 are listed as affected. No specific version subrange is provided, so all current releases of these three major releases are potentially impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, yet the EPSS score is not listed, and the flaw is not in the CISA KEV catalog. The attack vector is inferred to be over a network, as the description states the denial of service can be mounted over a network connection. Exploitation would involve sending a crafted request or sequence that forces the .NET runtime to consume excessive resources, leading to service disruption. No exploit code is publicly referenced, so the exploitation path is considered moderate, but the impact on availability can be severe for exposed services.

Generated by OpenCVE AI on April 15, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft .NET updates available for versions 10.0, 9.0, and 8.0 as published on the Microsoft Security Response Center.
  • Restart affected services after applying the patch to ensure the changes take effect.
  • Implement network access controls or request throttling for the vulnerable services to limit resource usage until the patch is applied.

Generated by OpenCVE AI on April 15, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w3x6-4m5h-cxqf Microsoft Security Advisory CVE-2026-26171 – .NET Denial of Service Vulnerability
History

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-776
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
Title .NET Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft .net
Weaknesses CWE-400
CWE-611
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft .net
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-15T21:55:26.095Z

Reserved: 2026-02-11T18:33:57.776Z

Link: CVE-2026-26171

cve-icon Vulnrichment

Updated: 2026-04-14T18:53:33.356Z

cve-icon NVD

Status : Received

Published: 2026-04-14T18:16:51.577

Modified: 2026-04-14T18:16:51.577

Link: CVE-2026-26171

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-14T18:39:18Z

Links: CVE-2026-26171 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:15:06Z

Weaknesses