idunnoBluesky, Denial of Service, CVE-2026-26127 (High)

Listen to this Post

The CVE-2026-26127 vulnerability is a Denial of Service (DoS) issue residing in the Microsoft.Bcl.Memory NuGet package, which is a transitive dependency of the idunno.AtProto and idunno.AtProto.OAuthCallback libraries . The core of the vulnerability lies in an out-of-bounds read error that occurs when the software improperly handles malformed Base64Url encoded input . When an attacker sends a specially crafted network request containing this malformed data to an application utilizing the affected package, the .NET component attempts to read beyond the allocated memory buffer . This out-of-bounds read operation causes the application to crash, leading to a service interruption . The vulnerability is considered high severity because it can be triggered remotely by an unauthenticated attacker over the network without any user interaction, and it has a high impact on system availability . The issue specifically affects .NET 9.0 and .NET 10.0 versions, and consequently, any application built with idunno packages that depend on these versions through the Microsoft.Bcl.Memory package . The fix involves updating the Duende.IdentityModel.OidcClient dependencies, which in turn updates Microsoft.Bcl.Memory to version 10.0.4 where the vulnerable code has been patched .

dailycve form:

Platform: idunno.Bluesky packages
Version: pre-v1.7.0
Vulnerability: DoS via transitive
Severity: High (7.5)
date: March 10, 2026

Prediction: Patched Mar 10

What Undercode Say:

Analytics:

The CVE-2026-26127 vulnerability impacts applications built with idunno.Bluesky, idunno.AtProto, and idunno.AtProto.OAuthCallback due to a transitive dependency on Microsoft.Bcl.Memory . The root cause is an out-of-bounds read when decoding malformed Base64Url input, leading to application crashes . The CVSS 3.1 base score is 7.5 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-exploitable flaw requiring no privileges or user interaction that completely compromises availability . Microsoft released patches on March 10, 2026, as part of the March Patch Tuesday, updating .NET to versions 8.0.25, 9.0.14, and 10.0.4, which subsequently fixes the idunno packages when updated to v1.7.0 .

Bash/Commands:

To update the vulnerable dependencies using .NET CLI:

Open terminal in project directory
Update idunno.Bluesky package
dotnet add package idunno.Bluesky
Update idunno.AtProto direct dependency
dotnet add package idunno.AtProto
Update idunno.AtProto.OAuthCallback direct dependency
dotnet add package idunno.AtProto.OAuthCallback

Using NuGet Package Manager Console in Visual Studio:

Update idunno.Bluesky
Update-Package -Id idunno.Bluesky
Update idunno.AtProto
Update-Package -Id idunno.AtProto
Update idunno.AtProto.OAuthCallback
Update-Package -Id idunno.AtProto.OAuthCallback

Exploit:

An attacker would send a maliciously crafted network request containing malformed Base64Url encoded data to an application using the vulnerable idunno packages. The application’s dependency on Microsoft.Bcl.Memory (versions prior to 10.0.4) fails to properly validate this input, triggering an out-of-bounds read condition . This memory access violation causes the .NET runtime to crash the application process, resulting in a denial of service. Since the vulnerability requires no authentication and low attack complexity, multiple such requests could be sent to maintain the service disruption .

Protection from this CVE:

  1. Immediately update all idunno packages to version 1.7.0 or later using the provided .NET CLI or Visual Studio commands .
  2. Ensure the transitive dependency Microsoft.Bcl.Memory is updated to version 10.0.4 or higher .
  3. For Ubuntu systems, apply the USN-8085-1 update which provides patched dotnet9 and dotnet10 packages .
  4. On Windows systems, install the March 2026 .NET Core updates that bring runtimes to 8.0.25, 9.0.14, or 10.0.4 .
  5. No workarounds exist other than patching, so updating is mandatory .

Impact:

Successful exploitation causes complete service disruption by crashing the .NET application. The vulnerability affects availability with high impact, while confidentiality and integrity remain unaffected . Applications built with idunno.Bluesky, idunno.AtProto, and idunno.AtProto.OAuthCallback that have not been updated to v1.7.0 are vulnerable to remote unauthenticated DoS attacks . This can lead to downtime for services relying on Bluesky/AT Protocol integration, potentially affecting user-facing applications and backend services. The vulnerability is remotely exploitable over the network, making internet-facing instances particularly at risk .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top