Description
Improper link resolution before file access ('link following') in .NET allows an unauthorized attacker to perform tampering locally.
Published: 2026-06-09
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper link resolution before file access (link following) in .NET allows an unauthorized local attacker to tamper with system files. The flaw corresponds to CWE-59, enabling path traversal or link manipulation that can alter or replace files considered safe. This can degrade system integrity but does not provide remote execution or data exfiltration unless additional vulnerabilities are present.

Affected Systems

The vulnerability affects Microsoft .NET 10.0, .NET 9.0, and .NET 8.0, as listed by the CNA. All affected installations of these versions are susceptible; no additional sub‑version filtering is provided.

Risk and Exploitability

The CVSS score of 6.2 indicates a medium severity for the ability to tamper locally. EPSS data is unavailable, so the exact exploitation probability cannot be quantified, but the lack of a KEV listing suggests no widespread exploitation currently. The likely attack vector requires local or Privileged access to trigger the vulnerable link resolution path. Therefore, the risk is moderate for environments where untrusted code might be executed or unchecked file permissions exist.

Generated by OpenCVE AI on June 9, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply all Microsoft security updates that include a fix for CVE-2026-45491 to the affected .NET 8.0, 9.0, and 10.0 installations.
  • If an update is not available, restrict the execution of untrusted assemblies and disable link following or validate path resolution logic to prevent unauthorized file edits.
  • Reinforce file system permissions so that only trusted users and processes can modify system files that could be targeted by the tampering flaw.

Generated by OpenCVE AI on June 9, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper link resolution before file access ('link following') in .NET allows an unauthorized attacker to perform tampering locally.
Title .NET Tampering Vulnerability
First Time appeared Microsoft
Microsoft .net
Weaknesses CWE-59
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft .net
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T12:17:26.789Z

Reserved: 2026-05-12T16:07:22.618Z

Link: CVE-2026-45491

cve-icon Vulnrichment

Updated: 2026-06-10T12:17:21.270Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:25.567

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:15:05Z

Weaknesses