CVE-2026-26171 — Uncontrolled Resource Consumption in Microsoft NET 10.0

CWE-400 — Uncontrolled Resource Consumption CWE-611 — XML External Entity (XXE) Injection CWE-776 — XML Entity Expansion9 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 30.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft NET 10.0 Microsoft NET 8.0 Microsoft NET 9.0

Timeline

PublishedApr 14

Latest updateApr 15

Description

Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5microsoft/net_8.08.0.0 — 8.0.26

▶CVEListV5microsoft/net_9.09.0.0 — 9.0.15

▶CVEListV5microsoft/net_10.010.0.0 — 10.0.6

🔴Vulnerability Details

CVEList

.NET Denial of Service Vulnerability↗2026-04-14

▶

GHSA

Microsoft Security Advisory CVE-2026-26171 – .NET Denial of Service Vulnerability↗2026-04-14

▶

📋Vendor Advisories

Ubuntu

.NET vulnerabilities↗2026-04-15

▶

Red Hat

dotnet: .NET: Security Bypass and Denial of Service Vulnerability↗2026-04-14

▶

💬Community

Bugzilla

CVE-2026-26171 dotnet9.0: .NET: Security Bypass and Denial of Service Vulnerability [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-26171 dotnet8.0: .NET: Security Bypass and Denial of Service Vulnerability [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-26171 dotnet10.0: .NET: Security Bypass and Denial of Service Vulnerability [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-26171 dotnet: .NET: Security Bypass and Denial of Service Vulnerability↗2026-04-13

▶