HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45591Published Modified CNA microsoft

CVE-2026-45591: ASP.NET Core Denial of Service Vulnerability

Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
8.0.28
Affected Products
7

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Uncontrolled resource consumption in ASP.NET Core (affecting .NET 8.0, 9.0, and 10.0, plus Visual Studio 2026 version 18.6) allows a remote, unauthenticated attacker to exhaust server resources over the network. No authentication or user interaction is needed to trigger the flaw. Successful exploitation crashes or freezes the affected service, causing a denial of service. Patched-image rebuilds at versions 8.0.28, 9.0.17, 10.0.9, and 18.6.3 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ASP.NET Core or the affected .NET runtimes. Any image in a connected registry or CI pipeline carrying a vulnerable version is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 (High) and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on ownership rules configured in that environment.

Available
Patch

A patched-image rebuild at the applicable fix version (8.0.28, 9.0.17, 10.0.9, or 18.6.3) becomes available on HarborGuard once the upstream package is resolvable. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the ASP.NET Core service over the network; the vulnerability is exposed on any internet- or intranet-facing endpoint running an affected version.

  • AuthenticationNot required

    No account or session credential is needed; the attacker can trigger resource exhaustion as an anonymous, unauthenticated caller.

  • Victim interactionNot required

    No user action is required; the attacker initiates the attack entirely without any participation from a logged-in user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental setup to land consistently.

Blast Radius

  • The targeted ASP.NET Core process exhausts available memory, CPU, or connection-pool resources and becomes unresponsive to legitimate requests.
  • All users of the affected service lose access for the duration of the attack, resulting in full service disruption.
  • Where multiple services share the same host or process pool, resource exhaustion may degrade or take down adjacent workloads on that host.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image in a customer registry or pipeline that includes an affected ASP.NET Core or .NET runtime version. Triage is scored at CVSS 7.5 (High) and routed according to each environment's compliance policy. Where compliance policy permits, a rebuilt image at the appropriate fix version (8.0.28, 9.0.17, 10.0.9, or 18.6.3) is made available automatically; for customers who opt into auto-remediation, HarborGuard performs the image rebuild, runs regression tests, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Customers not yet on a fix version should consider placing network-policy controls in front of exposed ASP.NET Core endpoints to limit the pool of callers who can trigger resource exhaustion while a patched image is prepared.

See how HarborGuard automates this

Fix available

8.0.289.0.1710.0.918.6.3
Patch commits
Affected packages
  • Microsoft / .NET 10.0
    < 10.0.9 (from 10.0.0)
  • Microsoft / .NET 8.0
    < 8.0.28 (from 8.0.0)
  • Microsoft / .NET 9.0
    < 9.0.17 (from 9.0.0)
  • Microsoft / ASP.NET Core 10.0
    < 10.0.9 (from 10.0)
  • Microsoft / ASP.NET Core 8.0
    < 8.0.28 (from 8.0)
  • Microsoft / ASP.NET Core 9.0
    < 9.0.17 (from 9.0)
  • Microsoft / Microsoft Visual Studio 2026 version 18.6
    < 18.6.3 (from 18.6.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
References