{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26127", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.912Z", "datePublished": "2026-03-10T17:05:10.752Z", "dateUpdated": "2026-03-12T16:51:19.914Z"}, "containers": {"cna": {"title": ".NET Denial of Service Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.14"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.14"}]}]}], "affected": [{"vendor": "Microsoft", "product": ".NET 10.0", "versions": [{"version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 9.0", "versions": [{"version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-125: Out-of-bounds Read", "lang": "en-US", "type": "CWE", "cweId": "CWE-125"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-12T16:51:19.914Z"}, "references": [{"name": ".NET Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T18:01:20.286864Z", "id": "CVE-2026-26127", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:01:26.809Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26127", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T18:01:20.286864Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:01:22.602Z"}}], "cna": {"title": ".NET Denial of Service Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": ".NET 10.0", "versions": [{"status": "affected", "version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": ".NET 9.0", "versions": [{"status": "affected", "version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"status": "affected", "version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"status": "affected", "version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127", "name": ".NET Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-11T21:35:30.768Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26127", "state": "PUBLISHED", "dateUpdated": "2026-03-11T21:35:30.768Z", "dateReserved": "2026-02-11T15:52:13.912Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:10.752Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network."}], "id": "CVE-2026-26127", "lastModified": "2026-03-11T13:53:20.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:41.713", "references": [{"source": "secure@microsoft.com", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2026:4450", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet9.0-0:9.0.115-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4453", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet10.0-0:10.0.104-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4443", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet9.0-0:9.0.115-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4458", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet10.0-0:10.0.104-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4445", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet10.0-0:10.0.104-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4456", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet9.0-0:9.0.115-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}], "bugzilla": {"description": ".net: .NET: Denial of Service via out-of-bounds read", "id": "2446098", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446098"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-125", "details": ["A flaw was found in .NET. An unauthorized attacker can exploit an out-of-bounds read vulnerability over a network, leading to a Denial of Service (DoS). This can prevent legitimate users from accessing the affected service."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to applications utilizing affected .NET components to only trusted clients or networks using firewall rules. This will limit the exposure of the vulnerable service to potential attackers. After applying firewall rules, ensure to reload or restart the network service for changes to take effect."}, "name": "CVE-2026-26127", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "dotnet8.0", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet8.0", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet8.0", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-10T17:05:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26127\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26127\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127"], "threat_severity": "Moderate"}