CVE-2026-42899 - Vulnerability Details

- ASP.NET Core Denial of Service Vulnerability

Description

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Published: 2026-05-12

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a logic flaw that creates an infinite loop in ASP.NET Core, allowing an unauthorized attacker to exhaust system resources and cause a denial of service. This type of flaw falls under CWE-835 (Infinite Loop). The impact is a service outage, potentially affecting all users of the affected application, as the loop continually consumes CPU or memory until the process terminates or the system becomes unresponsive. No data exfiltration or authentication bypass is indicated by the description, so confidentiality and integrity are not directly compromised.

Affected Systems

Microsoft .NET 10.0, Microsoft .NET 9.0, and Microsoft .NET 8.0 are affected. The specific affected components are the ASP.NET Core runtime libraries that contain the infinite loop logic. Users of these framework versions should verify whether their deployed applications include the vulnerable code paths.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for denial of service. EPSS data is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is remote network access: an unauthorized client can trigger the loop by sending a crafted request. Successful exploitation would result in prolonged service unavailability, which can be exploited in a broader denial-of-service campaign when combined with other vulnerabilities or resource exhaustion attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

.NET 10.0

affected

Version	Status	Constraints
`10.0.0`	affected	< 10.0.8

Microsoft

.NET 8.0

affected

Version	Status	Constraints
`8.0.0`	affected	< 8.0.27

Microsoft

.NET 9.0

affected

Version	Status	Constraints
`9.0.0`	affected	< 9.0.16

Configuration 1 [-]

AND

OR	cpe:2.3:a:microsoft:.net::::::::
	cpe:2.3:a:microsoft:.net::::::::
	cpe:2.3:a:microsoft:.net::::::::

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Microsoft

.net

100%

Version	Status	Scheme	Platform
`[10.0.0,10.0.8)`	affected	semver	—
`[8.0.0,8.0.27)`	affected	semver	—
`[9.0.0,9.0.16)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update ASP.NET Core to the latest patched version that eliminates the infinite loop logic.
Apply all applicable Microsoft security updates for the .NET framework for each affected version.
In the absence of a patch, limit exposure by restricting network access to the vulnerable endpoints or implementing rate‑limiting and monitoring to detect and block repetitive requests that could trigger the loop.

Generated by OpenCVE AI on May 12, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-9v76-4qcc-frgh	Microsoft Security Advisory CVE-2026-42899 – ASP.NET Core Denial of Service Vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42899
https://nvd.nist.gov/vuln/detail/CVE-2026-42899
https://www.cve.org/CVERecord?id=CVE-2026-42899

History

Wed, 27 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-42899 https://www.cve.org/CVERecord?id=CVE-2026-42899
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 13 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft windows
CPEs		cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft windows

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Title		ASP.NET Core Denial of Service Vulnerability
First Time appeared		Microsoft Microsoft .net
Weaknesses		CWE-835
CPEs		cpe:2.3:a:microsoft:.net::::::::
Vendors & Products		Microsoft Microsoft .net
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42899
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Apple Macos

Linux Linux Kernel

Microsoft .net Windows

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-05-12T16:59:06.838Z

Updated: 2026-06-05T16:39:09.586Z

Reserved: 2026-04-30T22:35:54.967Z

Link: CVE-2026-42899

Vulnrichment

Updated: 2026-05-12T20:10:15.795Z

NVD

Status : Analyzed

Published: 2026-05-12T18:17:26.733

Modified: 2026-05-13T18:39:43.843

Link: CVE-2026-42899

Redhat

Severity : Important

Publid Date: 2026-05-12T16:59:06Z

Links: CVE-2026-42899 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-13T10:00:10Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object