CVE-2026-32226 — Race Condition in Microsoft NET Framework 3.5 AND 4.7.2

CWE-362 — Race Condition CWE-821 — Incorrect Synchronization9 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 78.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft NET Framework 3.5 AND 4.7.2 Microsoft NET Framework 3.5 AND 4.8 Microsoft NET Framework 3.5 AND 4.8.1 +1 more

Timeline

PublishedApr 14

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5microsoft/microsoft_net_framework_4.84.8.0 — 4.8.4801.0

▶CVEListV5microsoft/microsoft_net_framework_3.5_and_4.84.8.0 — 2.0.50727.9068 & 3.0.30729.9065 & 4.8.4801.0

▶CVEListV5microsoft/microsoft_net_framework_3.5_and_4.7.24.7.0 — 2.0.50727.9068 & 3.0.30729.9065 & 4.7.4141.0

▶CVEListV5microsoft/microsoft_net_framework_3.5_and_4.8.14.8.1 — 2.0.50727.9181 & 3.0.30729.9165 & 4.8.9332.0

🔴Vulnerability Details

VulDB

Microsoft .NET Framework prior 4.8.9332.0 race condition↗2026-04-14

▶

GHSA

GHSA-fpfg-hmcm-qvcj: Concurrent execution using shared resource with improper synchronization ('race condition') in↗2026-04-14

▶

CVEList

.NET Framework Denial of Service Vulnerability↗2026-04-14

▶

📋Vendor Advisories

Red Hat

dotnet: .NET Framework: Denial of Service via race condition↗2026-04-14

▶

💬Community

Bugzilla

CVE-2026-32226 dotnet9.0: .NET Framework: Denial of Service via race condition [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-32226 dotnet: .NET Framework: Denial of Service via race condition↗2026-04-14

▶

Bugzilla

CVE-2026-32226 dotnet8.0: .NET Framework: Denial of Service via race condition [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-32226 dotnet10.0: .NET Framework: Denial of Service via race condition [fedora-all]↗2026-04-14

▶