Description
Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap‑based buffer overflow occurs within the .NET runtime and associated Visual Studio components, permitting an attacker who can run code locally to gain elevated privileges on the machine. The flaw allows arbitrary memory writes that can alter execution flow, thus enabling the attacker to execute actions with higher privilege levels, which is classified as a local privilege escalation vulnerability. The weakness is identified by CWE‑122 and CWE‑20.

Affected Systems

Microsoft .NET Framework versions 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 and 4.8.1, .NET 8.0, 9.0 and 10.0, as well as Microsoft Visual Studio 2017 (15.0‑15.9), Visual Studio 2019 (16.0‑16.10), Visual Studio 2022 (17.12‑17.14) and Visual Studio 2026 (18.5).

Risk and Exploitability

The CVSS score of 7.3 places this issue in the high severity range, and while an EPSS score is currently unavailable, the vulnerability is not listed in the CISA KEV catalog. The description explicitly states that the escalation is local, meaning an attacker must have the ability to execute code on the target system to leverage the flaw. Consequently, systems that allow local code execution on affected .NET or Visual Studio installations face a significant risk of privilege escalation.

Generated by OpenCVE AI on May 12, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update for CVE‑2026‑32177 by following the update guide on Microsoft’s site.
  • Upgrade or replace all .NET Framework and .NET runtime installations with the latest patched versions available, and remove obsolete .NET Framework 3.5 or earlier when feasible.
  • Enforce least‑privilege controls on local user accounts to prevent them from executing arbitrary .NET assemblies that could trigger the overflow.

Generated by OpenCVE AI on May 12, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.
Title .NET Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft .net
Microsoft visual Studio 2017
Microsoft visual Studio 2019
Microsoft visual Studio 2022
Microsoft visual Studio 2026
Weaknesses CWE-122
CWE-20
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
Microsoft visual Studio 2017
Microsoft visual Studio 2019
Microsoft visual Studio 2022
Microsoft visual Studio 2026
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C'}

Subscriptions

Microsoft .net Visual Studio 2017 Visual Studio 2019 Visual Studio 2022 Visual Studio 2026
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:55:56.029Z

Reserved: 2026-03-11T00:26:53.425Z

Link: CVE-2026-32177

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:16:58.947

Modified: 2026-05-12T18:16:58.947

Link: CVE-2026-32177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:15:24Z

Weaknesses