PT-2026-24332 · Microsoft+4 · .Net 10.0+8

Bartłomiej Dach

·

Published

2026-03-10

·

Updated

2026-04-29

·

CVE-2026-26130

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions .NET 8.0 versions 8.0.0 through 8.0.24 .NET 9.0 versions 9.0.0 through 9.0.13 .NET 10.0 versions 10.0.0 through 10.0.3
Description An uncontrolled resource allocation issue exists in ASP.NET Core, potentially allowing an unauthorized attacker to cause a denial of service (DoS) over a network. The issue stems from the lack of limits or throttling on resource allocation. A specially crafted message to a SignalR server can exhaust an internal buffer, leading to service disruption. It is estimated that a large number of devices worldwide could be affected.
Recommendations Update to .NET 8.0.25. Update to .NET 9.0.14. Update to .NET 10.0.4.

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2026:4443
ALSA-2026:4445
ALSA-2026:4450
ALSA-2026:4451
ALSA-2026:4453
ALSA-2026:4454
ALSA-2026:4455
ALSA-2026:4456
ALSA-2026:4458
BDU:2026-03049
BIT-ASPNET-CORE-2026-26130
CVE-2026-26130
GHSA-4VGM-C2WM-63MW
GHSA-VH8F-65QG-3M8J
RHSA-2026:10082
RHSA-2026:10083
RHSA-2026:10084
RHSA-2026:10085
RHSA-2026:10091
RHSA-2026:4443
RHSA-2026:4445
RHSA-2026:4450
RHSA-2026:4451
RHSA-2026:4453
RHSA-2026:4454
RHSA-2026:4455
RHSA-2026:4456
RHSA-2026:4458
USN-8085-1

Affected Products

.Net 10.0
.Net 8.0
.Net 9.0
Asp.Net Core
Linuxmint
Red Os
Rocky Linux
Signalr
Ubuntu