Description
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Published: 2026-06-09
Score: 7.5 High
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled resource consumption flaw in ASP.NET Core that allows an attacker to deplete server resources by sending malicious traffic over a network. The weakness is classified as CWE-400.

Affected Systems

Affected products include Microsoft .NET 10.0, .NET 8.0, and .NET 9.0 runtimes; ASP.NET Core 10.0, 8.0, and 9.0; and Visual Studio 2026 version 18.6. Any deployment of these frameworks or the IDE that hosts an ASP.NET Core application may be vulnerable if not patched.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for the denial‑of‑service capability. EPSS score of 2% indicates a low but non‑zero likelihood of exploitation; the vulnerability is not listed in the CISA KEV catalog. Attackers can target the vulnerable application directly over the network by issuing crafted requests that exhaust resources, leading to complete service interruption for legitimate users.

Generated by OpenCVE AI on June 10, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft security update that addresses the uncontrolled resource consumption flaw for .NET, ASP.NET Core, and Visual Studio 2026.
  • Configure application‑layer or gateway rate limiting to reduce the impact of malicious requests while awaiting the patch.
  • Monitor application performance and logs for abnormal request patterns that may indicate an ongoing denial‑of‑service attempt.

Generated by OpenCVE AI on June 10, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Title ASP.NET Core Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft .net
Microsoft asp.net Core
Microsoft visual Studio 2026
Weaknesses CWE-400
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
Microsoft asp.net Core
Microsoft visual Studio 2026
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft .net Asp.net Core Visual Studio 2026
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T13:47:58.238Z

Reserved: 2026-05-12T19:55:45.730Z

Link: CVE-2026-45591

cve-icon Vulnrichment

Updated: 2026-06-10T13:47:55.406Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:26.933

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45591

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T14:45:32Z

Weaknesses