Listen to this Post
The vulnerability resides in System.Security.Cryptography.Xml, specifically in how the `EncryptedXml` class (or the underlying XmlDecryptionTransform) processes XML data during decryption operations. When an attacker provides a specially crafted XML document containing recursive entity references or self-referential URI paths, the component fails to properly validate the depth of recursion. The class iterates over the XML structure without a safe termination condition, causing an infinite loop that consumes 100% of a CPU core and prevents legitimate requests from being processed. The `XmlDSigSearchDepth` property, designed to mitigate such attacks, is not applied during this particular decryption path, leaving the recursion unchecked. As the loop never exits, the application thread hangs indefinitely, requiring a process restart to restore functionality. The attack requires no authentication and can be delivered over a network, making it highly accessible. The issue affects all versions of .NET 8, 9, and 10, as well as older .NET Framework releases. Microsoft assigned a CVSS 3.1 score of 7.5 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C, reflecting the ease of exploitation and the severe service impact. The flaw was discovered by Ludvig Pedersen and publicly disclosed on April 14, 2026.
DailyCVE Form
Platform: Microsoft .NET
Version: .NET 8/9/10
Vulnerability: Infinite loop DoS
Severity: High
Date: April 14 2026
Prediction: Patch already released
What Undercode Say:
The following commands identify vulnerable .NET installations and apply the official patch.
Check currently installed .NET versions
dotnet --list-sdks
dotnet --list-runtimes
Verify if vulnerable package is used
find . -name ".csproj" -exec grep -l "System.Security.Cryptography.Xml" {} \;
Update the vulnerable NuGet package via CLI
dotnet add package System.Security.Cryptography.Xml
Alternatively, force a specific patched version (e.g., 10.0.6+)
dotnet add package System.Security.Cryptography.Xml --version 10.0.6
Rebuild the application after update
dotnet build --configuration Release
For containerized environments, rebuild the image
docker build --no-cache -t myapp:patched .
Exploit:
An attacker sends a POST request with a malicious XML payload to any endpoint that processes XML encryption. The crafted document includes nested `&entity;` references that cause the `EncryptedXml` parser to recursively expand entities without bound, consuming CPU resources until the process crashes.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY a "&a;&a;"> ]> <root> <EncryptedData> <CipherData>&a;</CipherData> </EncryptedData> </root>
Protection from this CVE
- Update immediately – Install the April 2026 cumulative updates for .NET (KB5082421, KB5082424) or upgrade to .NET 10.0.6 / 9.0.6 / 8.0.6.
- Apply NuGet fix – Run `Update-Package -Id System.Security.Cryptography.Xml` in the Package Manager Console.
- Limit recursion – Manually set `EncryptedXml.XmlDSigSearchDepth` to a low value (e.g., 5) in code as a temporary mitigation.
- Validate XML input – Reject any XML containing recursive entity declarations before decryption.
Impact
Successful exploitation leads to a complete denial of service for the affected application. A single request can lock a CPU core indefinitely, and repeated attacks can exhaust all available threads, making the service unavailable to legitimate users. The process may need to be killed and restarted to recover, potentially causing data loss or corruption in stateful applications. As the attack requires no authentication and can be launched remotely, any publicly accessible .NET service that uses `EncryptedXml` is at risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

