NET / ASPNET Core, Denial of Service (DoS), CVE-2026-42899 (High)

Listen to this Post

How CVE-2026-42899 Works

CVE-2026-42899 is a high‑severity denial‑of‑service vulnerability affecting .NET 8.0, 9.0, and 10.0. The flaw resides in ASP.NET Core and is classified as CWE‑835: Loop with Unreachable Exit Condition (‘Infinite Loop’).
An unauthorized remote attacker can exploit the vulnerability by sending a specially crafted request to a vulnerable ASP.NET Core application. This request triggers an infinite loop in the application’s request‑processing logic. Because the loop contains no exit condition, it continues indefinitely, consuming all available CPU resources and memory on the server.
The constant resource exhaustion prevents the affected application from handling any legitimate requests, leading to a complete denial of service. The attack can be carried out over a network without requiring any prior authentication or user interaction.
The vulnerability affects all platforms (Windows, Linux, and macOS) and all architectures (x86, x64, ARM). Microsoft assigns CVSSv3.1 score 7.5 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C, reflecting the low complexity of exploitation and the high availability impact.
Patches are available in .NET 10.0.8, 9.0.16, and 8.0.27, and developers are urged to update immediately.

dailycve form

Platform: .NET / ASP.NET
Version: 8.0,9.0,10.0
Vulnerability: Infinite loop (CWE‑835)
Severity: 7.5 (High)
date: May 12 2026

Prediction: Immediate update required

What Undercode Say:

Check installed .NET versions
dotnet --info
Verify vulnerable package presence
dotnet list package --vulnerable
Update to the patched version (example for .NET 8)
dotnet add package Microsoft.AspNetCore.App.Runtime.linux-x64 --version 8.0.27
Recompile and redeploy self‑contained applications
dotnet publish -c Release --self-contained -r linux-x64

Exploit

An attacker sends a single, specially crafted HTTP request to an ASP.NET Core endpoint that uses a vulnerable version of the runtime. The endpoint’s processing logic enters an infinite loop (CWE‑835), preventing it from ever returning a response. The loop consumes 100% of a CPU core and grows memory usage until the application pool is forcibly restarted or the server crashes. Because the attack requires no authentication and affects any reachable endpoint that exercises the vulnerable path, a single request is sufficient to take down the entire service.

Protection from this CVE

  • Upgrade .NET 10 to 10.0.8 or later.
  • Upgrade .NET 9 to 9.0.16 or later.
  • Upgrade .NET 8 to 8.0.27 or later.
  • Restart all applications after updating the runtime or SDK.
  • Recompile and redeploy any self‑contained deployments.
  • If immediate patching is not possible, deploy a Web Application Firewall (WAF) rule to block malformed requests that match the attack pattern.

Impact

Denial of service (availability loss). A remote, unauthenticated attacker can render the entire ASP.NET Core application unresponsive, making it impossible for legitimate users to access the service. The attack requires minimal resources from the attacker and can be repeated to maintain the outage until the vulnerable version is patched or the server is manually restarted.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top