CVE-2026-32177 - Vulnerability Details

- .NET Elevation of Privilege Vulnerability

Description

Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.

Published: 2026-05-12

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A heap‑based buffer overflow occurs within the .NET runtime and associated Visual Studio components, permitting an attacker who can run code locally to gain elevated privileges on the machine. The flaw allows arbitrary memory writes that can alter execution flow, thus enabling the attacker to execute actions with higher privilege levels, which is classified as a local privilege escalation vulnerability. The weakness is identified by CWE‑122 and CWE‑20.

Affected Systems

Microsoft .NET Framework versions 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 and 4.8.1, .NET 8.0, 9.0 and 10.0, as well as Microsoft Visual Studio 2017 (15.0‑15.9), Visual Studio 2019 (16.0‑16.10), Visual Studio 2022 (17.12‑17.14) and Visual Studio 2026 (18.5).

Risk and Exploitability

The CVSS score of 7.3 places this issue in the high severity range, and while an EPSS score is currently unavailable, the vulnerability is not listed in the CISA KEV catalog. The description explicitly states that the escalation is local, meaning an attacker must have the ability to execute code on the target system to leverage the flaw. Consequently, systems that allow local code execution on affected .NET or Visual Studio installations face a significant risk of privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

.NET 10.0

affected

Version	Status	Constraints
`10.0.0`	affected	< 10.0.8

Microsoft

.NET 8.0

affected

Version	Status	Constraints
`8.0.0`	affected	< 8.0.27

Microsoft

.NET 9.0

affected

Version	Status	Constraints
`9.0.0`	affected	< 9.0.16

Microsoft

Microsoft .NET Framework 3.5

affected

Version	Status	Constraints
`3.5.0`	affected	< 4.8.9334.0 and 4.8.4802.0

Microsoft

Microsoft .NET Framework 3.5 AND 4.7.2

affected

Version	Status	Constraints
`4.7.0`	affected	< 4.8.9334.0 and 4.8.4802.0

Microsoft

Microsoft .NET Framework 3.5 AND 4.8

affected

Version	Status	Constraints
`4.8.0`	affected	< 4.8.9334.0 and 4.8.4802.0

Microsoft

Microsoft .NET Framework 3.5 AND 4.8.1

affected

Version	Status	Constraints
`4.8.1`	affected	< 4.8.9334.0 and 4.8.4802.0

Microsoft

Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2

affected

Version	Status	Constraints
`4.7.0`	affected	< 4.8.9334.0 and 4.8.4802.0

Microsoft

Microsoft .NET Framework 4.8

affected

Version	Status	Constraints
`4.8.0`	affected	< 4.8.9334.0 and 4.8.4802.0

Microsoft

Microsoft Visual Studio 2022 version 17.12

affected

Version	Status	Constraints
`17.12.0`	affected	< 17.12.20

Microsoft

Microsoft Visual Studio 2022 version 17.14

affected

Version	Status	Constraints
`17.14.0`	affected	< 17.14.32

Microsoft

Microsoft Visual Studio 2026 version 18.5

affected

Version	Status	Constraints
`18.5.0`	affected	< 18.5.3

No data.

Vendor Product Confidence Versions

Microsoft

.net

90%

Version	Status	Scheme	Platform
`[10.0.0,10.0.8)`	affected	semver	—
`[8.0.0,8.0.27)`	affected	semver	—
`[9.0.0,9.0.16)`	affected	semver	—

Microsoft

.net Framework

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Microsoft

Visual Studio 2017

90%

Version	Status	Scheme	Platform
`[15.9.0,15.9.80)`	affected	semver	—

Microsoft

Visual Studio 2019

90%

Version	Status	Scheme	Platform
`[16.11.0,16.11.56)`	affected	semver	—

Microsoft

Visual Studio 2022

90%

Version	Status	Scheme	Platform
`[17.12.0,17.12.20)`	affected	semver	—
`[17.14.0,17.14.31)`	affected	semver	—

Microsoft

Visual Studio 2026

90%

Version	Status	Scheme	Platform
`[18.5.0,18.5.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the security update for CVE‑2026‑32177 by following the update guide on Microsoft’s site.
Upgrade or replace all .NET Framework and .NET runtime installations with the latest patched versions available, and remove obsolete .NET Framework 3.5 or earlier when feasible.
Enforce least‑privilege controls on local user accounts to prevent them from executing arbitrary .NET assemblies that could trigger the overflow.

Generated by OpenCVE AI on May 12, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00096.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32177
https://nvd.nist.gov/vuln/detail/CVE-2026-32177
https://www.cve.org/CVERecord?id=CVE-2026-32177

History

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-32177 https://www.cve.org/CVERecord?id=CVE-2026-32177
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 18 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:microsoft:visual_studio_2017:::::::: cpe:2.3:a:microsoft:visual_studio_2019::::::::

Wed, 13 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 13 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft .net Framework
Vendors & Products		Microsoft .net Framework

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.
Title		.NET Elevation of Privilege Vulnerability
First Time appeared		Microsoft Microsoft .net Microsoft visual Studio 2017 Microsoft visual Studio 2019 Microsoft visual Studio 2022 Microsoft visual Studio 2026
Weaknesses		CWE-122 CWE-20
CPEs		cpe:2.3:a:microsoft:.net:::::::: cpe:2.3:a:microsoft:visual_studio_2017:::::::: cpe:2.3:a:microsoft:visual_studio_2019:::::::: cpe:2.3:a:microsoft:visual_studio_2022:::::::: cpe:2.3:a:microsoft:visual_studio_2026::::::::
Vendors & Products		Microsoft Microsoft .net Microsoft visual Studio 2017 Microsoft visual Studio 2019 Microsoft visual Studio 2022 Microsoft visual Studio 2026
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32177
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft .net .net Framework Visual Studio 2017 Visual Studio 2019 Visual Studio 2022 Visual Studio 2026

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-05-12T16:58:15.551Z

Updated: 2026-06-05T16:39:53.964Z

Reserved: 2026-03-11T00:26:53.425Z

Link: CVE-2026-32177

Vulnrichment

Updated: 2026-05-13T10:02:59.786Z

NVD

Status : Awaiting Analysis

Published: 2026-05-12T18:16:58.947

Modified: 2026-05-13T15:34:52.573

Link: CVE-2026-32177

Redhat

Severity : Important

Publid Date: 2026-05-12T16:58:15Z

Links: CVE-2026-32177 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-13T10:38:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object