Description
Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes improper input validation in the .NET runtime that allows an unauthorized local attacker to elevate privileges. The vulnerability arises when crafted input bypasses input checks, leading to an escalation of privileges within the affected process. This flaw is classified as CWE-20 (Improper Input Validation) and CWE-190 (Integer Overflow). The CVE notes no arbitrary code execution or broader impacts beyond the privilege escalation.

Affected Systems

Microsoft .NET 10.0, Microsoft .NET 8.0, Microsoft .NET 9.0, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5 AND 4.7.2, Microsoft .NET Framework 3.5 AND 4.8, Microsoft .NET Framework 3.5 AND 4.8.1, Microsoft .NET Framework 4.8 are affected. Any application that links against these runtimes runs the vulnerable code and is susceptible to local privilege escalation when a local attacker can trigger the overflow.

Risk and Exploitability

The CVE description states that improper input validation in .NET allows an unauthorized attacker to elevate privileges locally, and does not mention arbitrary code execution or broader impacts beyond the elevation. The CVSS score of 7.3 indicates moderate‑to‑high severity. The EPSS score of less than 1 percent suggests a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning there are no publicly known exploits. An attacker would need local access and the ability to supply crafted input to trigger the vulnerability, granting elevated privileges on the compromised host.

Generated by OpenCVE AI on June 18, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched version of the .NET runtime as released by Microsoft (see Microsoft Security Response Center for CVE-2026-35433).
  • Restrict local user accounts to the minimum privileges required, eliminating unnecessary accounts to reduce the attack surface.
  • Enforce application whitelisting or restrict code execution to signed binaries to limit exploitation opportunities.

Generated by OpenCVE AI on June 18, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x9c-mqxv-q2pp Microsoft Security Advisory CVE-2026-35433 – .NET Elevation of Privilege Vulnerability
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally. Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally. Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally. Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally. Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Title .NET Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft .net
Weaknesses CWE-190
CWE-20
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C'}

Subscriptions

Microsoft .net
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T16:13:23.315Z

Reserved: 2026-04-02T19:21:11.804Z

Link: CVE-2026-35433

cve-icon Vulnrichment

Updated: 2026-05-13T10:01:42.300Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-12T18:17:13.710

Modified: 2026-06-17T20:16:55.200

Link: CVE-2026-35433

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-12T16:58:34Z

Links: CVE-2026-35433 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:15:03Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound

  • CWE-20

    Improper Input Validation