PT-2026-24330 · Microsoft+2 · Microsoft.Bcl.Memory 9.0.0+9

Published

2026-03-10

·

Updated

2026-04-14

·

CVE-2026-26127

CVSS v2.0

7.8

High

AV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions .NET versions 9.0.0 through 9.0.13 .NET versions 10.0.0 through 10.0.3 Microsoft.Bcl.Memory versions 9.0.0 through 9.0.13 Microsoft.Bcl.Memory versions 10.0.0 through 10.0.3
Description An out-of-bounds read issue exists in .NET and Microsoft.Bcl.Memory when decoding malformed Base64Url input. This can allow an unauthorized attacker to cause a denial of service (DoS) over a network, potentially preventing legitimate users from accessing the affected service. Approximately 32 articles have been published from different internet sources regarding this issue.
Recommendations For .NET 9.0.0 through 9.0.13, update to version 9.0.14. For .NET 10.0.0 through 10.0.3, update to version 10.0.4. For Microsoft.Bcl.Memory versions 9.0.0 through 9.0.13, update to version 9.0.14. For Microsoft.Bcl.Memory versions 10.0.0 through 10.0.3, update to version 10.0.4. To update packages, use the NuGet Package Manager UI in Visual Studio, the NuGet Package Manager Console, or the .NET CLI with the appropriate update-package or dotnet package update command.

Fix

DoS

Out of bounds Read

Improper Validation of Array Index

Weakness Enumeration

CWE-125CWE-129CWE-1395

Related Identifiers

ALSA-2026:4443
ALSA-2026:4445
ALSA-2026:4450
ALSA-2026:4453
ALSA-2026:4456
ALSA-2026:4458
BDU:2026-02876
BIT-DOTNET-2026-26127
BIT-DOTNET-SDK-2026-26127
CVE-2026-26127
GHSA-32WQ-PPWG-3W4M
GHSA-73J8-2GCH-69RQ
GHSA-8FH9-C4JQ-94H4
GHSA-C8GQ-RHQH-WGWM
RHSA-2026:4443
RHSA-2026:4445
RHSA-2026:4450
RHSA-2026:4453
RHSA-2026:4456
RHSA-2026:4458
USN-8085-1

Affected Products

.Net 10.0.0
.Net 10.0.3
.Net 9.0.0
.Net 9.0.13
Linuxmint
Microsoft.Bcl.Memory 10.0.0
Microsoft.Bcl.Memory 10.0.3
Microsoft.Bcl.Memory 9.0.0
Microsoft.Bcl.Memory 9.0.13
Ubuntu