{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26127", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.912Z", "datePublished": "2026-03-10T17:05:10.752Z", "dateUpdated": "2026-03-27T22:33:01.428Z"}, "containers": {"cna": {"title": ".NET Denial of Service Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.14"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.14"}]}]}], "affected": [{"vendor": "Microsoft", "product": ".NET 10.0", "versions": [{"version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 9.0", "versions": [{"version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-125: Out-of-bounds Read", "lang": "en-US", "type": "CWE", "cweId": "CWE-125"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-27T22:33:01.428Z"}, "references": [{"name": ".NET Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T18:01:20.286864Z", "id": "CVE-2026-26127", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:01:26.809Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26127", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T18:01:20.286864Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:01:22.602Z"}}], "cna": {"title": ".NET Denial of Service Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": ".NET 10.0", "versions": [{"status": "affected", "version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": ".NET 9.0", "versions": [{"status": "affected", "version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"status": "affected", "version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"status": "affected", "version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127", "name": ".NET Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-27T22:33:01.428Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26127", "state": "PUBLISHED", "dateUpdated": "2026-03-27T22:33:01.428Z", "dateReserved": "2026-02-11T15:52:13.912Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:10.752Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F0778BD-8D31-493B-93D5-FD554BB1AA33", "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "A470CC25-648C-446F-80E7-E45259BC780A", "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:bcl.memory:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3E7251D-2D93-4081-8770-BF3843B53D24", "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:bcl.memory:*:*:*:*:*:*:*:*", "matchCriteriaId": "86BBEF71-BDE2-4964-BC97-E0B872EB5B13", "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network."}, {"lang": "es", "value": "Lectura fuera de l\u00edmites en .NET permite a un atacante no autorizado denegar servicio a trav\u00e9s de una red."}], "id": "CVE-2026-26127", "lastModified": "2026-04-01T20:22:46.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:41.713", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2026:4450", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet9.0-0:9.0.115-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4453", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet10.0-0:10.0.104-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4443", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet9.0-0:9.0.115-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4458", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet10.0-0:10.0.104-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4445", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet10.0-0:10.0.104-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4456", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet9.0-0:9.0.115-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}], "bugzilla": {"description": ".net: .NET: Denial of Service via out-of-bounds read", "id": "2446098", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446098"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-125", "details": ["A flaw was found in .NET. An unauthorized attacker can exploit an out-of-bounds read vulnerability over a network, leading to a Denial of Service (DoS). This can prevent legitimate users from accessing the affected service."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to applications utilizing affected .NET components to only trusted clients or networks using firewall rules. This will limit the exposure of the vulnerable service to potential attackers. After applying firewall rules, ensure to reload or restart the network service for changes to take effect."}, "name": "CVE-2026-26127", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "dotnet8.0", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet8.0", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet8.0", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-10T17:05:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26127\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26127\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,10.0.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": ".NET 10.0", "source": "cna", "vendor": "Microsoft"}, "product": ".net", "vendor": "microsoft"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.0.14)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": ".NET 9.0", "source": "cna", "vendor": "Microsoft"}, "product": ".net", "vendor": "microsoft"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,10.0.4)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 80.0, "source": "matching"}]}, "original": {"product": "Microsoft.Bcl.Memory", "source": "cna", "vendor": "Microsoft"}, "product": "bcl_memory", "vendor": "microsoft"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.0.14)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 80.0, "source": "matching"}]}, "original": {"product": "Microsoft.Bcl.Memory", "source": "cna", "vendor": "Microsoft"}, "product": "bcl_memory", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-02T03:40:21.119588+00:00", "value": {"mitigation_remediation": ["Install the Microsoft security update for the vulnerable .NET version as per the MSRC advisory", "Verify the installed version is the patched one", "Restart any services that depend on .NET to ensure the update takes effect", "Monitor application logs for any remaining out\u2011of\u2011bounds read errors or crashes"], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects Microsoft .NET 9.0 and 10.0, as well as the Microsoft Bcl.Memory library. Systems running these components on Windows, Linux, macOS, or in cloud environments such as Red\u202fHat Enterprise Linux 8/9/10.1 are potentially vulnerable. Any application that loads the affected .NET framework or library is at risk.", "description_and_impact": "This vulnerability allows an attacker to trigger an out\u2011of\u2011bounds read in the .NET runtime, resulting in a denial of service that can be exercised over a network. The weakness is classified as CWE\u2011125 and can cause the affected application to crash or become unresponsive, disrupting availability for legitimate users.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests a low probability of being actively exploited. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote network attacker sending a crafted exploit to the vulnerable .NET component; local privilege is not required."}}}}, "created": "2026-03-11T11:45:33.250860+00:00", "updated": "2026-04-02T08:00:22.740606+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$.net", "microsoft$PRODUCT$bcl_memory"]}