NET, Improper Input Validation / Heap-based Buffer Overflow, CVE-2026-35433 (High)

Listen to this Post

This vulnerability in .NET 8.0, 9.0, and 10.0 on Windows stems from improper input validation, which leads to a heap-based buffer overflow (CWE-122 and CWE-20). The flaw allows an unauthorized, unauthenticated attacker with local access to elevate privileges. The attack vector is local (AV:L), attack complexity low (AC:L), requires user interaction (UI:R), and no privileges (PR:N). Successful exploitation yields high confidentiality, integrity, and low availability impact (C:H/I:H/A:L). The issue exists in the core runtime’s handling of untrusted input, specifically when processing certain data structures. When an application receives specially crafted input, the validation logic fails to check buffer boundaries correctly. This allows an attacker to write data beyond the allocated heap buffer, corrupting adjacent memory. By controlling the overflow contents, an attacker can overwrite critical runtime metadata or function pointers. This corruption can be leveraged to execute arbitrary code with elevated privileges, bypassing standard security boundaries. The vulnerability affects all Windows architectures. It was discovered by researcher Ky0toFu and reported to Microsoft. The attack is local but does not require any prior privileges, only the ability to run a malicious .NET application or trick a user into executing a crafted payload. User interaction is required, such as opening a malicious file or visiting a compromised website that triggers the vulnerable code. The CVSS score is 7.3 (High). No public exploit code is available at the time of advisory publication. The issue is patched in updated versions of .NET 8.0, 9.0, and 10.0 released on May 12, 2026.

dailycve form:

Platform: Windows
Version: .NET 8/9/10
Vulnerability: Heap Buffer Overflow
Severity: High
date: May 12 2026

Prediction: Already patched (May 12 2026)

Analytics under What Undercode Say:

Check installed .NET versions
dotnet --info
List packages in project
dotnet list package
Update SDK for Windows
winget upgrade Microsoft.DotNet.SDK.8
winget upgrade Microsoft.DotNet.SDK.9
winget upgrade Microsoft.DotNet.SDK.10
Recompile self-contained apps
dotnet publish -r win-x64 --self-contained

Exploit:

No public exploit. This heap overflow requires crafted input to corrupt runtime memory.

Protection from this CVE

Update to .NET 8.0.xxx, 9.0.xxx, 10.0.xxx (May 2026 releases). Restart apps, recompile self-contained deployments.

Impact:

Local privilege escalation, arbitrary code execution, full system compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top