PT-2026-51074 · Nuget · Corewcf.Netnamedpipe

Published

2026-06-19

Updated

2026-06-19

CVE-2026-54777

CVSS v3.1

6.5

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Impact

CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be using and saves this to the shared memory object. Then it creates the named pipe to listen for clients. This requires an attacker to race the service and create the named pipe between the service publishing the GUID to the shared memory location (which the attacker needs to read) and the service creating the named pipe itself.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

Fix

Time Of Check To Time Of Use

Improper Initialization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-367CWE-665

Related Identifiers

CVE-2026-54777

GHSA-6JJ2-4Q5C-X8G6

Affected Products

Corewcf.Netnamedpipe

PT-2026-51074 · Nuget · Corewcf.Netnamedpipe

CVE-2026-54777

Impact

Patches

Workarounds

Weakness Enumeration

Related Identifiers

Affected Products

References · 3