Description
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Published: 2026-06-09
Score: 7.5 High
EPSS: 2.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled resource consumption flaw in ASP.NET Core that allows an attacker to deplete server resources by sending malicious traffic over a network. The weakness is classified as CWE-400 and CWE-770.

Affected Systems

Affected products include Microsoft .NET 10.0, .NET 8.0, and .NET 9.0 runtimes; ASP.NET Core 10.0, 8.0, and 9.0; and Visual Studio 2026 version 18.6. Any deployment of these frameworks or the IDE that hosts an ASP.NET Core application may be vulnerable if not patched.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for the denial‑of‑service capability. EPSS score of 2% indicates a low but non‑zero likelihood of exploitation; the vulnerability is not listed in the CISA KEV catalog. Attackers can target the vulnerable application directly over the network by issuing crafted requests that exhaust resources, leading to complete service interruption for legitimate users.

Generated by OpenCVE AI on June 30, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft security update that addresses the uncontrolled resource consumption flaw for .NET, ASP.NET Core, and Visual Studio 2026.
  • Configure application‑layer or gateway rate limiting to reduce the impact of malicious requests while awaiting the patch.
  • Monitor application performance and logs for abnormal request patterns that may indicate an ongoing denial‑of‑service attempt.

Generated by OpenCVE AI on June 30, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f8h2-vmm9-qhj6 Microsoft Security Advisory CVE-2026-45591 – ASP.NET Core Denial of Service Vulnerability
History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Weaknesses CWE-770
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10.2
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Title ASP.NET Core Denial of Service Vulnerability
First Time appeared Microsoft
Microsoft .net
Microsoft asp.net Core
Microsoft visual Studio 2026
Weaknesses CWE-400
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft .net
Microsoft asp.net Core
Microsoft visual Studio 2026
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft .net Asp.net Core Visual Studio 2026
Redhat Enterprise Linux Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-30T12:10:20.250Z

Reserved: 2026-05-12T19:55:45.730Z

Link: CVE-2026-45591

cve-icon Vulnrichment

Updated: 2026-06-30T03:15:54.646Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:26.933

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45591

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-09T17:05:29Z

Links: CVE-2026-45591 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling