Description
Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heap-based buffer overflow in the .NET runtime allows an unauthorized local user to elevate privileges. The overflow results from missing bounds checking (CWE-190) and inadequate input validation (CWE-20), enabling the attacker to gain higher process rights. By exploiting the vulnerability the attacker could raise privileges to full system rights, potentially compromising data confidentiality, integrity, or system availability.

Affected Systems

Microsoft .NET 3.5, Microsoft .NET 3.5 and 4.7.2, Microsoft .NET 3.5 and 4.8, Microsoft .NET 3.5 and 4.8.1, Microsoft .NET 4.8, Microsoft .NET 8.0, Microsoft .NET 9.0, and Microsoft .NET 10.0 are affected. Applications built on these framework versions run the vulnerable runtime and could be compromised by local attackers if the runtime is not updated.

Risk and Exploitability

The CVSS score of 7.3 indicates a moderate to high severity. The EPSS score of less than 1% suggests a low but non-zero probability of exploitation, while local privilege escalation remains plausible. The vulnerability is not currently in CISA KEV, so no known public exploits have been documented. Exploitation requires local access; an attacker with limited local privileges can trigger the misuse of input validation to elevate their privileges to full system rights.

Generated by OpenCVE AI on June 1, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the .NET runtime to the latest patched version (see Microsoft Security Response Center update for CVE-2026-35433).
  • Restrict local user accounts to the minimal privileges required, removing unnecessary accounts to reduce the attack surface.
  • Enable audit logging for privilege changes on the system so that any unauthorized escalation can be detected and investigated.

Generated by OpenCVE AI on June 1, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x9c-mqxv-q2pp Microsoft Security Advisory CVE-2026-35433 – .NET Elevation of Privilege Vulnerability
History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally. Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
Title .NET Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft .net
Weaknesses CWE-190
CWE-20
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C'}

Subscriptions

Microsoft .net
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-01T23:43:53.209Z

Reserved: 2026-04-02T19:21:11.804Z

Link: CVE-2026-35433

cve-icon Vulnrichment

Updated: 2026-05-13T10:01:42.300Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T18:17:13.710

Modified: 2026-06-01T19:16:32.367

Link: CVE-2026-35433

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-12T16:58:34Z

Links: CVE-2026-35433 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T22:00:14Z

Weaknesses