Improper input validation in the .NET runtime allows an unauthorized local user to elevate privileges. The flaw stems from missing bounds checking (CWE-190) and inadequate validation of input data (CWE-20), enabling a local attacker to gain higher process rights on the affected system. By exploiting the vulnerability the attacker could raise privileges to full system privileges, potentially compromising data confidentiality, integrity, or system availability.

Microsoft .NET 8.0, 9.0, and 10.0 are affected by this flaw. Applications built on these framework versions run the vulnerable runtime and could be compromised by local attackers if the runtime is not updated.

The CVSS score of 7.3 indicates a moderate to high severity. The EPSS score is not available, suggesting limited publicly known exploitation data, but local privilege escalation remains plausible. The vulnerability is not currently in CISA KEV, so no known public exploits have been documented. Exploitation requires local access; an attacker with limited local privileges can trigger the misuse of input validation to elevate their privileges to full system rights.