Microsoft Patches Remote Denial-of-Service Vulnerabilities in .NET and ASP.NET Core
Microsoft published security advisories for two Important remote denial-of-service (DoS) vulnerabilities affecting .NET and ASP.NET Core: CVE-2026-26127 and CVE-2026-26130. Both issues are scored CVSS 3.1 7.5 with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network-reachable exploitation with low complexity, no privileges, and no user interaction, resulting in high availability impact.
CVE-2026-26127 is described as a .NET DoS condition associated with CWE-125 (Out-of-bounds Read), while CVE-2026-26130 is an ASP.NET Core DoS issue associated with CWE-770 (Allocation of Resources Without Limits or Throttling). Organizations running internet-exposed or high-availability services on these frameworks should prioritize applying Microsoft’s updates and review service-level protections (e.g., request throttling and resource limits) where applicable to reduce DoS risk.
Timeline
Mar 10, 2026
Emergency update released for CVE-2026-26127
Microsoft released security updates to address CVE-2026-26127, recommending upgrades to .NET 9.0.14 and 10.0.4 and updates to affected Microsoft.Bcl.Memory packages. Public details had been disclosed by an anonymous researcher, but reporting said there was no evidence of active exploitation.
Mar 10, 2026
Microsoft publishes advisory for CVE-2026-26130 in ASP.NET Core
Microsoft also published a Security Update Guide entry for CVE-2026-26130, identifying an ASP.NET Core denial-of-service vulnerability. The reference indicates a separate Microsoft disclosure on the same day.
Mar 10, 2026
Microsoft publishes advisory for CVE-2026-26127 in .NET
Microsoft disclosed CVE-2026-26127 as a .NET denial-of-service vulnerability in its Security Update Guide. The flaw affects .NET 9.0 and 10.0 and can be triggered remotely without authentication via an out-of-bounds read that crashes vulnerable applications.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
1 months ago
Microsoft Issues Emergency Patch for ASP.NET Core Data Protection Privilege Escalation
Microsoft released an out-of-band update for **`Microsoft.AspNetCore.DataProtection` 10.0.7** to fix **`CVE-2026-40372`**, a critical ASP.NET Core elevation-of-privilege flaw caused by improper verification of cryptographic signatures (**`CWE-347`**). The regression affects package versions **10.0.0 through 10.0.6** and was uncovered while Microsoft investigated customer-reported decryption failures after the .NET 10.0.6 Patch Tuesday release. Microsoft said the bug in the managed authenticated encryptor could let unauthenticated attackers bypass HMAC validation, forge authentication cookies and other protected payloads, decrypt some protected data, and potentially authenticate as privileged users. The vulnerability primarily affects applications running the vulnerable NuGet package at runtime on **Linux, macOS, and other non-Windows systems**, with some **`net462`** and **`netstandard2.0`** consumers also exposed; Microsoft said Windows deployments and the **8.0.x** and **9.0.x** branches are not affected under the described conditions. Because ASP.NET Core Data Protection is widely used for cookies, tokens, anti-forgery protections, TempData, and similar application state, successful exploitation can enable file disclosure and data modification without impacting availability. Microsoft urged organizations to upgrade to **`10.0.7`**, rebuild and redeploy affected applications, rotate the **DataProtection key ring**, and audit long-lived tokens, API keys, password reset links, and logs because legitimately signed artifacts issued during exploitation may remain valid after patching.
1 weeks ago
Microsoft March 2026 Patch Tuesday Vulnerabilities Across SharePoint, Office/Excel, Windows Drivers, and GDI
Microsoft published security advisories for multiple **Important** and **Critical** vulnerabilities affecting *SharePoint Server*, *Microsoft Office/Excel*, Windows components, and *GDI*. The highest-impact server-side issue is **CVE-2026-26114**, a *SharePoint Server* **remote code execution** flaw attributed to **CWE-502 (deserialization of untrusted data)** with a CVSS v3.1 vector `AV:N/AC:L/PR:L/UI:N` (base score shown as 8.8), indicating network reachability with low complexity and requiring low privileges. Microsoft also disclosed **CVE-2026-26105**, a *SharePoint Server* **spoofing** issue mapped to **CWE-79 (XSS)** with `AV:N/AC:L/PR:N/UI:R` (base score shown as 8.1), implying remote exploitation that requires user interaction. On the endpoint/application side, Microsoft listed several *Office/Excel* **remote code execution** vulnerabilities: **CVE-2026-26109** (Excel RCE; **CWE-125 out-of-bounds read**; vector `AV:L/AC:L/PR:N/UI:N`, base score shown as 8.4), **CVE-2026-26108** (Excel RCE; **CWE-122 heap-based buffer overflow**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8), and **CVE-2026-26112** (Excel RCE; **CWE-822 untrusted pointer dereference**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8). Microsoft also published **CVE-2026-26113**, a **Critical** *Microsoft Office* RCE (also **CWE-822**) with `AV:L/AC:L/PR:N/UI:N` (base score shown as 8.4); one reference is a duplicate advisory page for the same CVE. Additional component advisories include **CVE-2026-24288** (Windows Mobile Broadband Driver RCE; **CWE-122**; `AV:P/AC:L/PR:N/UI:N`, base score shown as 6.8, requiring physical access) and **CVE-2026-25190** (GDI RCE; **CWE-426 untrusted search path**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8).
1 months ago