NET, Denial of Service, CVE-2026-26130 (High)

Listen to this Post

The vulnerability, identified as CVE-2026-26130, is a Denial of Service (DoS) flaw residing in ASP.NET Core, a cross-platform framework for building modern web applications . It specifically affects the SignalR server component, which is used for adding real-time web functionality to applications . The core issue is classified under CWE-770 as “Uncontrolled Resource Consumption” . This means the software does not properly control the allocation and maintenance of system resources. An unauthenticated attacker can exploit this by sending a specially crafted message to a vulnerable SignalR server . This malicious message triggers an internal buffer within the server to grow uncontrollably, exhausting available memory or other resources . As the server’s resources are depleted, it becomes unable to process legitimate requests, leading to a service outage . The attack can be launched remotely over a network without requiring any special privileges or user interaction, making it easily exploitable . The issue affects multiple versions of .NET, including .NET 8, .NET 9, and the newer .NET 10 . Microsoft addressed this vulnerability in the March 2026 servicing updates, releasing patched versions for each affected .NET runtime and SDK .
Platform: .NET
Version: 8.0,9.0,10.0
Vulnerability :DoS
Severity: High
date: March 10,2026

Prediction: March 10,2026

What Undercode Say:

Analytics

Check the currently installed .NET SDKs and runtimes
dotnet --info
List all installed .NET runtimes to identify vulnerable versions
dotnet --list-runtimes
For a specific project, list all package references to find the vulnerable Microsoft.AspNetCore.App package
dotnet list package
Example to update all packages in a project to the latest version (use with caution)
dotnet add package Microsoft.AspNetCore.App --version <patched_version>
Example for .NET 8 patched version
dotnet add package Microsoft.AspNetCore.App --version 8.0.25

Exploit

  • Attacker crafts a message targeting the SignalR hub.
  • Message is designed to cause uncontrolled resource allocation.
  • Exploit sends this message to an unpatched SignalR server.
  • Triggered internal buffer exhausts available memory.
  • This leads to the ASP.NET Core application becoming unresponsive .
  • No authentication is required, allowing any network user to initiate the attack .

Protection

  • Immediately update the .NET SDK and Runtime to the patched versions (e.g., .NET 8.0.25, .NET 9.0.14, .NET 10.0.4) .
  • If using the vulnerable NuGet package, update its reference to the patched version.
  • Restart all applications after installing updates to ensure the fix is applied.
  • Redeploy any self-contained applications that were compiled with a vulnerable version.
  • As a temporary mitigation, implement network-level rate limiting to reduce the volume of requests to the SignalR server .

Impact

  • A remote, unauthenticated attacker can cause a Denial of Service.
  • Legitimate users are unable to access the affected ASP.NET Core application.
  • The vulnerability impacts applications built on .NET 8.0, .NET 9.0, and .NET 10.0 across all platforms and architectures .
  • It has a CVSS score of 7.5 (High), indicating a significant availability impact .
  • The issue was responsibly disclosed by Bartłomiej Dach and published on March 10, 2026 .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top