CVE-2026-26127 - Vulnerability Details - OpenCVE

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Microsoft	.net Bcl Memory

No data.

No data.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127

History

Tue, 10 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.
Title		.NET Denial of Service Vulnerability
First Time appeared		Microsoft Microsoft .net Microsoft bcl Memory
Weaknesses		CWE-125
CPEs		cpe:2.3:a:microsoft:.net:::::::: cpe:2.3:a:microsoft:Bcl_memory::::::::
Vendors & Products		Microsoft Microsoft .net Microsoft bcl Memory
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}`

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-03-10T17:05:10.752Z

Updated: 2026-03-10T18:01:26.809Z

Reserved: 2026-02-11T15:52:13.912Z

Link: CVE-2026-26127

Vulnrichment

Updated: 2026-03-10T18:01:22.602Z

NVD

Status : Received

Published: 2026-03-10T18:18:41.713

Modified: 2026-03-10T18:18:41.713

Link: CVE-2026-26127

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26127", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.912Z", "datePublished": "2026-03-10T17:05:10.752Z", "dateUpdated": "2026-03-10T18:01:26.809Z"}, "containers": {"cna": {"title": ".NET Denial of Service Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.14"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.14"}]}]}], "affected": [{"vendor": "Microsoft", "product": ".NET 10.0", "versions": [{"version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 9.0", "versions": [{"version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-125: Out-of-bounds Read", "lang": "en-US", "type": "CWE", "cweId": "CWE-125"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-10T17:05:10.752Z"}, "references": [{"name": ".NET Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T18:01:20.286864Z", "id": "CVE-2026-26127", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:01:26.809Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26127", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.912Z", "datePublished": "2026-03-10T17:05:10.752Z", "dateUpdated": "2026-03-10T18:01:26.809Z"}, "containers": {"cna": {"title": ".NET Denial of Service Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.14"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:Bcl_memory:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.14"}]}]}], "affected": [{"vendor": "Microsoft", "product": ".NET 10.0", "versions": [{"version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": ".NET 9.0", "versions": [{"version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"version": "10.0.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft.Bcl.Memory", "versions": [{"version": "9.0.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-125: Out-of-bounds Read", "lang": "en-US", "type": "CWE", "cweId": "CWE-125"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-10T17:05:10.752Z"}, "references": [{"name": ".NET Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26127", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T18:01:20.286864Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:01:22.602Z"}}]}}