cbcvebase.
CVE-2026-26127
published 2026-03-10

CVE-2026-26127: Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.05%
78.8th percentile
Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

Affected

42 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftbcl.memory>= 10.0.0 < 10.0.410.0.4
microsoftbcl.memory>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.bcl.memory>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.bcl.memory>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.bcl.memory>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.bcl.memory>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.linux-arm>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.linux-arm>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.linux-arm64>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.linux-arm64>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.linux-musl-arm>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.linux-musl-arm>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.linux-musl-arm64>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.linux-musl-arm64>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.linux-musl-x64>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.linux-musl-x64>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.linux-x64>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.linux-x64>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.osx-arm64>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.osx-arm64>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.osx-x64>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.osx-x64>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.win-arm>= 10.0.0 < 10.0.410.0.4
microsoftmicrosoft.netcore.app.runtime.win-arm>= 9.0.0 < 9.0.149.0.14
microsoftmicrosoft.netcore.app.runtime.win-arm64>= 10.0.0 < 10.0.410.0.4

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-26127 is an out-of-bounds read DoS vulnerability in .NET that was publicly disclosed prior to patching; monitor for unexpected crashes or service restarts in .NET applications, particularly during or after network-based interactions
  • Consider the risk window during .NET service reboots triggered by CVE-2026-26127 exploitation — an attacker may attempt to evade detection by crashing log forwarders or security agents, then act during the blind spot
  • CVE-2026-26127 was publicly disclosed before a patch was available; treat it as a zero-day DoS risk for unpatched .NET deployments and prioritize patching Microsoft.Bcl.Memory and dotnet-apphost-pack-9.0 packages
  • ·No public exploit exists for CVE-2026-26127 as of the time of these reports; exploitation likelihood is assessed as lower but the public disclosure before patch increases risk
  • ·Affected packages include Microsoft.Bcl.Memory (NuGet) and dotnet-apphost-pack-9.0; fixes are available across multiple Linux distributions and Windows as of early April 2026
  • ·EPSS exploitation probability is low (0.1%) but the 28.3rd percentile ranking and zero-day public disclosure status warrant prioritized patching

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.