CVE-2026-32178 — Improper Neutralization of Special Elements in Microsoft Visual Studio 2022 Version 17.12

CWE-138 — Improper Neutralization of Special Elements10 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 83.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Visual Studio 2022 Version 17.12 Microsoft Visual Studio 2022 Version 17.14 Microsoft NET 10.0 +14 more

Timeline

PublishedApr 14

Latest updateApr 15

Description

Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages17 packages

▶CVEListV5microsoft/net_8.08.0 — 8.0.26+1

▶CVEListV5microsoft/net_9.09.0.0 — 9.0.15

▶CVEListV5microsoft/net_10.010.0.0 — 10.0.6

▶NuGetmicrosoft/microsoft.netcore.app.runtime.osx-x6410.0.0 — 10.0.6+2

▶NuGetmicrosoft/microsoft.netcore.app.runtime.win-arm10.0.0 — 10.0.6+2

🔴Vulnerability Details

VulDB

Microsoft .NET 2016/2017/2019/2022/2025 special element↗2026-04-14

▶

GHSA

Microsoft Security Advisory CVE-2026-32178 – .NET Spoofing Vulnerability↗2026-04-14

▶

CVEList

.NET Spoofing Vulnerability↗2026-04-14

▶

📋Vendor Advisories

Ubuntu

.NET vulnerabilities↗2026-04-15

▶

Red Hat

dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw↗2026-04-14

▶

💬Community

Bugzilla

CVE-2026-32178 dotnet10.0: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-32178 dotnet9.0: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-32178 dotnet8.0: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-32178 dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw↗2026-04-13

▶

External resources

NVD MITRE

Affected products17

Microsoft Microsoft.netcore.app.runtime.linux-arm≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.linux-arm64≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.linux-musl-arm≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.linux-musl-arm64≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.linux-musl-x64≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.linux-x64≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.osx-arm64≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.osx-x64≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.win-arm≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Microsoft Microsoft.netcore.app.runtime.win-arm64≥ 10.0.0, < 10.0.6≥ 9.0.0, < 9.0.15≥ 8.0.0, < 8.0.26

Disclosure

PublishedApr 14, 2026

Latest updateApr 15, 2026