Listen to this Post
The vulnerability exists in the `EncryptedXml` class within the `System.Security.Cryptography.Xml` namespace. It stems from unsafe handling of XML transforms during the encryption/decryption process. By sending a specially crafted XML payload that triggers recursive entity expansion or XML External Entity (XXE) processing, an attacker can cause uncontrolled resource consumption (CWE-400 and CWE-611). The vulnerable class fails to properly restrict the depth or size of XML transforms, leading to an infinite loop or excessive memory allocation. This results in a denial-of-service condition that exhausts CPU and memory resources, crashing the application or making it unresponsive. The attack is performed remotely over the network without authentication or user interaction (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Microsoft has verified the exploitability internally, confirming that an attacker can reliably trigger the DoS condition with minimal effort.
dailycve form:
Platform: .NET Version: 10,9,8 Vulnerability : Uncontrolled resource consumption Severity: High date: 2026-04-14 Prediction: April 2026
What Undercode Say:
Analytics: Identify affected .NET installations dotnet --list-runtimes | grep -E "Microsoft.NETCore.App (8|9|10)." Detect use of EncryptedXml in source code grep -r "EncryptedXml" --include=".cs" Check NuGet package version for System.Security.Cryptography.Xml dotnet list package | grep "System.Security.Cryptography.Xml" Verify patch status by checking .NET runtime version (patched versions: 8.0.26, 9.0.15, 10.0.6) dotnet --info | grep "Version"
Exploit:
Craft an XML document with deeply nested entity references or a malicious `Protection from this CVE:
Update the `System.Security.Cryptography.Xml` NuGet package to the patched version using:
dotnet add package System.Security.Cryptography.Xml
Or apply the cumulative .NET update (April 2026) via Windows Update or your package manager.
Impact:
Unpatched applications are vulnerable to remote denial-of-service attacks, potentially taking down internet-facing services like web APIs and e-commerce sites with a single malicious request. Attackers require no privileges, making this a low‑barrier, high‑impact threat.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
