{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26130", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.912Z", "datePublished": "2026-03-10T17:05:22.367Z", "dateUpdated": "2026-03-12T16:51:31.660Z"}, "containers": {"cna": {"title": "ASP.NET Core Denial of Service Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0", "versionEndExcluding": "8.0.25"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0", "versionEndExcluding": "9.0.14"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0", "versionEndExcluding": "10.0.4"}]}]}], "affected": [{"vendor": "Microsoft", "product": "ASP.NET Core 10.0", "versions": [{"version": "10.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 8.0", "versions": [{"version": "8.0", "lessThan": "8.0.25", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 9.0", "versions": [{"version": "9.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-770: Allocation of Resources Without Limits or Throttling", "lang": "en-US", "type": "CWE", "cweId": "CWE-770"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-12T16:51:31.660Z"}, "references": [{"name": "ASP.NET Core Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T19:49:23.302596Z", "id": "CVE-2026-26130", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:49:36.457Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26130", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:49:23.302596Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:49:33.089Z"}}], "cna": {"title": "ASP.NET Core Denial of Service Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "ASP.NET Core 10.0", "versions": [{"status": "affected", "version": "10.0", "lessThan": "10.0.4", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 8.0", "versions": [{"status": "affected", "version": "8.0", "lessThan": "8.0.25", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 9.0", "versions": [{"status": "affected", "version": "9.0", "lessThan": "9.0.14", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130", "name": "ASP.NET Core Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "8.0.25", "versionStartIncluding": "8.0"}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0"}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-11T21:35:41.937Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26130", "state": "PUBLISHED", "dateUpdated": "2026-03-11T21:35:41.937Z", "dateReserved": "2026-02-11T15:52:13.912Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:22.367Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network."}], "id": "CVE-2026-26130", "lastModified": "2026-03-11T13:53:20.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:42.223", "references": [{"source": "secure@microsoft.com", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2026:4450", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet9.0-0:9.0.115-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4451", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet8.0-0:8.0.125-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4453", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet10.0-0:10.0.104-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4443", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet9.0-0:9.0.115-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4455", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet8.0-0:8.0.125-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4458", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet10.0-0:10.0.104-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4445", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet10.0-0:10.0.104-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4454", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet8.0-0:8.0.125-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4456", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet9.0-0:9.0.115-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}], "bugzilla": {"description": "asp.net: ASP.NET Core: Denial of Service via uncontrolled resource allocation", "id": "2446134", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446134"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["A flaw was found in ASP.NET Core. This vulnerability allows an unauthorized attacker to perform a Denial of Service (DoS) attack over a network by allocating resources without limits or throttling. This can lead to the unavailability of the service for legitimate users."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, configure resource limits and throttling for ASP.NET Core applications. This can be achieved by implementing request limits within the application configuration or by utilizing resource quotas provided by container orchestration platforms like OpenShift/Kubernetes. Additionally, web servers acting as reverse proxies can be configured to rate limit incoming requests.\nExample for OpenShift/Kubernetes ResourceQuotas:\n```yaml\napiVersion: v1\nkind: ResourceQuota\nmetadata:\nname: aspnet-core-quotas\nspec:\nhard:\nrequests.cpu: \"1\"\nrequests.memory: \"1Gi\"\nlimits.cpu: \"2\"\nlimits.memory: \"2Gi\"\n```\nConsult ASP.NET Core documentation for application-level request throttling configurations. Ensure that any changes to resource limits or throttling are thoroughly tested to avoid unintended service disruptions. A service restart or reload may be required for changes to take effect."}, "name": "CVE-2026-26130", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-10T17:05:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26130\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26130\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130"], "threat_severity": "Important"}