Listen to this Post
The vulnerability, identified as CVE-2026-26130, is a Denial of Service (DoS) flaw residing in ASP.NET Core, a cross-platform framework for building modern web applications . It specifically affects the SignalR server component, which is used for adding real-time web functionality to applications . The core issue is classified under CWE-770 as “Uncontrolled Resource Consumption” . This means the software does not properly control the allocation and maintenance of system resources. An unauthenticated attacker can exploit this by sending a specially crafted message to a vulnerable SignalR server . This malicious message triggers an internal buffer within the server to grow uncontrollably, exhausting available memory or other resources . As the server’s resources are depleted, it becomes unable to process legitimate requests, leading to a service outage . The attack can be launched remotely over a network without requiring any special privileges or user interaction, making it easily exploitable . The issue affects multiple versions of .NET, including .NET 8, .NET 9, and the newer .NET 10 . Microsoft addressed this vulnerability in the March 2026 servicing updates, releasing patched versions for each affected .NET runtime and SDK .
Platform: .NET
Version: 8.0,9.0,10.0
Vulnerability :DoS
Severity: High
date: March 10,2026
Prediction: March 10,2026
What Undercode Say:
Analytics
Check the currently installed .NET SDKs and runtimes dotnet --info List all installed .NET runtimes to identify vulnerable versions dotnet --list-runtimes For a specific project, list all package references to find the vulnerable Microsoft.AspNetCore.App package dotnet list package Example to update all packages in a project to the latest version (use with caution) dotnet add package Microsoft.AspNetCore.App --version <patched_version> Example for .NET 8 patched version dotnet add package Microsoft.AspNetCore.App --version 8.0.25
Exploit
- Attacker crafts a message targeting the SignalR hub.
- Message is designed to cause uncontrolled resource allocation.
- Exploit sends this message to an unpatched SignalR server.
- Triggered internal buffer exhausts available memory.
- This leads to the ASP.NET Core application becoming unresponsive .
- No authentication is required, allowing any network user to initiate the attack .
Protection
- Immediately update the .NET SDK and Runtime to the patched versions (e.g., .NET 8.0.25, .NET 9.0.14, .NET 10.0.4) .
- If using the vulnerable NuGet package, update its reference to the patched version.
- Restart all applications after installing updates to ensure the fix is applied.
- Redeploy any self-contained applications that were compiled with a vulnerable version.
- As a temporary mitigation, implement network-level rate limiting to reduce the volume of requests to the SignalR server .
Impact
- A remote, unauthenticated attacker can cause a Denial of Service.
- Legitimate users are unable to access the affected ASP.NET Core application.
- The vulnerability impacts applications built on .NET 8.0, .NET 9.0, and .NET 10.0 across all platforms and architectures .
- It has a CVSS score of 7.5 (High), indicating a significant availability impact .
- The issue was responsibly disclosed by Bartłomiej Dach and published on March 10, 2026 .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

