NET, Denial of Service, CVE-2026-26127 (High)

Listen to this Post

The vulnerability, identified as CVE-2026-26127, is a denial of service flaw residing in .NET 9.0 and .NET 10.0, specifically within the `Microsoft.Bcl.Memory` library . The issue is triggered by an out-of-bounds read (CWE-125) that occurs when the application attempts to decode malformed Base64Url input . Due to improper bounds checking, an unauthenticated attacker can send a specially crafted request over the network to an application using a vulnerable .NET runtime . This forces the .NET process to read memory outside of the allocated buffer, causing the application to crash . Since no authentication or user interaction is required, the attack surface is broad, affecting any internet-facing service built on the impacted frameworks . While it does not lead to remote code execution, the crash results in a reliable denial of service, disrupting availability for critical applications . Microsoft addressed this vulnerability in the March 2026 Patch Tuesday releases, patching the runtime and the NuGet package .
Platform: .NET
Version: 9.0.0-9.0.13, 10.0.0-10.0.3
Vulnerability :Out-of-bounds Read
Severity: High
Date: March 10, 2026

Prediction: Patches Released (March 10, 2026)

What Undercode Say:

Analytics

The vulnerability exists in code paths processing Base64Url encoding. By analyzing the diff between patched versions (9.0.14/10.0.4) and vulnerable ones, we can infer the fix involves adding validation checks to prevent reads beyond buffer boundaries.
To identify vulnerable assets, use the following commands to check .NET SDK and runtime versions on your systems:

Check installed .NET SDKs and runtimes on Linux/macOS
dotnet --info
Check .NET runtime versions specifically
dotnet --list-runtimes
On Windows (PowerShell), check installed versions
Get-ChildItem -Path "HKLM:\SOFTWARE\dotnet\Setup\InstalledVersions\x64" -Recurse | Get-ItemProperty
On Windows (CMD), check version from the installation path
dir "%PROGRAMFILES%\dotnet\shared\Microsoft.NETCore.App\"

Exploit

The exploitation mechanism relies on supplying malformed Base64Url data to a target .NET application. A proof-of-concept would involve a script sending payloads designed to trigger the out-of-bounds read. While public exploit code is not yet available, the logic is based on input validation failure .

Conceptual Python script to demonstrate the attack vector
import requests
import base64
target_url = "http://vulnerable-app.com/api/process"
Malformed Base64Url string (may contain characters outside spec or incorrect padding)
malformed_payload = "SGVsbG8=" Example of valid; malformed would break spec.
Attacker crafts a string that when decoded causes OOB read
This specific string is theoretical and requires reverse engineering
evil_b64url = "ab!@cde" Hypothetical malformed input
try:
response = requests.post(target_url, data=evil_b64url, headers={'Content-Type': 'text/plain'})
print(f"Status: {response.status_code}")
except requests.exceptions.RequestException as e:
print(f"Service possibly crashed: {e}")

Protection from this CVE

Immediate protection is achieved by updating the .NET runtime and the `Microsoft.Bcl.Memory` NuGet package to their patched versions .

Update the .NET runtime via official installers or package managers
Example on Ubuntu/Debian (if using Microsoft package feed)
sudo apt-get update
sudo apt-get install dotnet-sdk-9.0 dotnet-runtime-9.0
Update the Microsoft.Bcl.Memory NuGet package in a project using .NET CLI
dotnet add package Microsoft.Bcl.Memory --version 9.0.14
or for .NET 10
dotnet add package Microsoft.Bcl.Memory --version 10.0.4
Using NuGet Package Manager Console in Visual Studio
Update-Package -Id Microsoft.Bcl.Memory

If immediate patching is not possible, implement network-level mitigations:
– Deploy a Web Application Firewall (WAF) to inspect and block requests with malformed Base64Url patterns .
– Apply strict input validation on all API endpoints that process Base64 data .
– Implement rate limiting to reduce the impact of automated crash attempts .

Impact

A successful exploit leads to a complete denial of service, causing the targeted .NET application or service to crash . For public-facing web APIs, payment gateways, or line-of-business applications, this can result in significant downtime, financial loss, and reputational damage . Because the vulnerability can be triggered remotely without authentication, it poses a high availability risk to cloud platforms, CI/CD pipelines, and enterprise services relying on .NET 9.0 and 10.0 . Repeated crashes can also mask other malicious activities or destabilize infrastructure during recovery .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top